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SECTION  I 

BACKGROUND  AND  OBJECTIVES 

1.  THE  CONCEPT  OF  FUNCTIONAL  REDUNDANCY 

A  high  degree  of  reliability  in  control  data  instrumentation  is 
vital  to  the  mission  of  USAF,  and  this  objective  is  typically  accom¬ 
plished  by  comparing  the  outputs  of  redundant  system  components.  How¬ 
ever,  the  weight,  volume,  and  cost  penalties  of  such  equipment  redun¬ 
dancy  can  be  substantial. 

Data  systems  already  onboard  the  aircraft  -  the  air  data  computer, 
inertial  system  (free  or  aided),  attitude  and  heading  reference  system, 
and  the  rate  gyros  and  accelerometers  of  the  automatic  flight  control 
system  -  provide  functionally  related  data.  This  form  of  inherent  func¬ 
tional  redundancy  among  sensor  signals  can  be  exploited  rather  than  re¬ 
sorting  exclusively  to  hardware  duplication  to  achieve  the  desired  level 
of  data  system  reliability. 

To  date,  such  functional  redundancy  has  not  been  employed  in  the 
development  of  fault  tolerant  or  high  reliability  systems.  Instead, 
the  reliability  of  individual  system  components  has  been  improved,  and 
then  these  components  are  incorporated  redundantly  with  some  form  of 
comparison  logic  to  generate  a  reliable  signal.  Such  comparisons  re¬ 
quire  a  minimum  of  two  signals  to  indicate  a  discrepancy,  and  a  minimum 
of  three  signals  to  determine  the  appropriate  signal  level  if  a  dis¬ 
crepancy  does  exist.  Thus,  for  a  system  to  operate  normally  in  the 
face  of  a  single  sensor  failure,  that  sensor  must  exist  in  triplicate 
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so  that  the  comparison  logic  can  isolate  (and  remove)  the  faulty  signal. 
It  is  desirable  for  the  more  critical  systems  to  be  able  to  tolerate 
two  failures,  necessitating  another  level  of  redundancy,  or  quadruplet 
components.  Such  a  level  of  hardware  redundancy  becomes  prohibitive  as 
systems  become  more  complex  and  sophisticated. 

A  viable  alternative  would  be  to  replace  some  levels  of  hardware 
redundancy  with  the  functional  redundancy  that  exists  among  the  outputs 
of  the  different  sensors  in  the  aircraft.  Thus,  functional  redundancy 
is  viewed  as  a  complement  to  equipment  redundancy  for  an  overall  system, 
providing  the  same  level  of  reliability  with  fewer  components  than  re¬ 
quired  if  subsystem  outputs  were  not  correlated  with  one  another. 

It  is  also  a  complement  to,  rather  than  a  replacement  for,  other 
means  of  fault  detection.  Some  types  of  failures  are  more  appropri¬ 
ately  handled  by  these  other  techniques.  As  envisioned  in  this  report, 
the  functional  redundancy  algorithm  might  have  an  iteration  rate  of  ap¬ 
proximately  5  Hz.  A  number  of  iterations  might  be  required  to  declare 
a  failure  and  isolate  the  failed  signal,  resulting  in  a  time  period  on 
the  order  of  one  second  before  a  failed  signal  might  be  removed  from 
the  overall  data  system.  Such  a  response  time  would  probably  not  be 
sufficient  for  safety  of  flight  parameters.  The  iteration  rate  would 
be  increased;  but  since  most  signals  would  not  require  a  faster  re¬ 
sponse  time,  the  benefits  would  become  marginal  compared  to  the  in¬ 
crease  in  computer  loading. 
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Certain  types  of  errors,  such  as  deterministic  biases  and  scale 
factor  errors,  can  be  readily  evaluated  by  means  of  filtering  and  com¬ 
pensation  techniques  on  individual  or  redundant  identical  components. 
Functional  redundancy  might  be  employed  in  part  to  detect  which  signal 
is  biased  out  of  tolerance,  but  estimating  and  compensating  for  the 
actual  bias  value  is  achieved  more  easily  by  comparison  of  the  signal 
to  that  of  an  identical  component. 

Similarly,  many  hard  failures  are  readily  detected  by  built-in¬ 
test  (BIT)  capabilities  of  individual  components. 

Functional  redundancy  is  most  applicable  to  the  detection  of 
failures  that  are  currently  isolated  by  comparing  signals  of  identical 
sensors.  These  might  be  hard  (or  catastrophic)  signal  failures  or 
"soft"  failures  in  which  the  signal  slowly  drifts  away  from  the  true 
parameter  value.  Rather  than  comparing  duplicate  signals,  though,  a 
sensor  signal  is  compared  to  an  estimate  of  its  value  generated  from 
other  functionally  related  signals.  These  functional  relationships 
encompass  kinematic  differential  equations,  as  well  as  geometric  and 
aerodynamic  relations  that  characterize  aircraft  motion.  For  example, 
an  inertial  system  indicates  angular  orientation  of  the  vehicle,  while 
rate  gyros  associated  with  the  flight  control  system  measure  the  vehicle 
angular  rates.  A  kinematic  relationship  exists  between  these  quanti¬ 
ties,  and  such  a  functional  relationship  allows  the  correlation  of 
data  taken  from  the  two  sensor  systems. 
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Actually,  the  pilot  and  crew  have  been  required  to  perform  such 
cross  correlation  in  verifying  the  validity  of  independent  subsystem 
measurements.  However,  as  aircraft  incorporate  more  sophisticated  and 
extensive  avionics,  multiple  mode  or  mission  capabilities,  and  higher 
speed  and  meaneuverability,  especially  in  the  case  of  single-seat  vehi¬ 
cles,  the  time  the  crew  is  able  to  devote  to  such  performance  monitoring 
becomes  very  restricted.  Therefore,  it  is  essential  that  as  much  in¬ 
formation  as  possible  be  automatically  digested,  interpreted,  and  pre¬ 
sented  to  the  crew  in  a  usable  and  concise  form.  Functional  redundancy 
can  be  incorporated  into  the  data  system  design  to  provide  such  reliable 
capability  with  a  minimum  of  equipment  duplication. 

2.  BASIC  ALGORITHM  FORMULATION 

The  functional  relationships  provide  the  system  equations  of  a 
model  reference  for  the  failure  detection  and  isolation  technique.  The 
appropriate  sensor  signals  are  used  as  "inputs"  to  this  model  reference, 
the  functional  relationships  thereby  generating  model  reference  "out¬ 
puts."  By  comparing  these  outputs  to  the  measured  values  of  these 
quantities,  i.e.,  signals  generated  by  other  sensors,  error  signals  are 
produced.  These  are  then  fed  back  through  appropriate  gains  so  that  the 
model  reference  tracks  the  measurements. 

When  the  functional  relationships  are  linear  differential  equations 
and  the  statistics  of  noises  and  uncertainties  are  adequately  modelled 
as  Gaussian,  the  Kalman  filter  provides  such  a  model  reference.  Moreover, 
if  the  dynamics  are  nonlinear,  an  extended  Kalman  filter  that  linearizes 
about  the  most  recent  estimate  of  nominal  parameter  values  can  be 
utilized.  4 
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Sensor  failure  detection  is  achieved  by  monitoring  the  individual 
components  of  the  sequence  of  residuals,  the  individual  error  signals 
generated  by  differencing  a  measured  output  and  the  model  reference's 
best  estimate  of  what  its  value  should  be.  With  no  sensor  failures, 
this  sequence  of  residuals  should  possess  certain  characteristics,  such 
as  being  white,  zero-mean,  and  Gaussian.  A  consistent  departure  from 
such  a  characterization  would  indicate  a  fault,  and  the  specific  manner 
in  which  this  departure  manifests  itself  in  the  residual  sequence  can 
be  used  to  isolate  the  particular  fault  involved  (at  least  partially 
isolate  it,  if  not  totally). 

A  logical  and  effective  means  of  discerning  such  departures  would 
be  through  the  use  of  the  statistical  detection  theory  method  of  ob¬ 
serving  the  magnitude  of  appropriately  defined  likelihood  functions. 

If  the  magnitude  of  a  certain  residual  is  consistently  higher  than  nor¬ 
mal,  the  magnitude  of  the  likelihood  function  also  increases.  When  its 
value  surpasses  some  preselected  threshold  for  acceptable  behavior  under 
normal  conditions,  a  fault  is  declared.  By  noting  the  pattern  of  such 
threshold  passings,  the  exact  cause  can  (often)  be  deduced. 

3.  SYSTEMS  EMPLOYED 

In  order  to  demonstrate  the  performance  capabilities  of  the  func¬ 
tional  redundancy  concept,  the  following  sensor  systems  were  considered: 

(1)  the  inertial  navigation  system 

(2)  the  attitude  and  heading  reference  system 
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(3)  the  air  data  system 

(4)  the  rate  gyros  and  normal  accelerometer  of  the  automatic 
flight  control  system. 

The  concept  can  be  applied  to  other  measurement  systems  as  well, 
such  as  those  associated  with  the  propulsion  system  or  external  naviga¬ 
tion  aids.  However,  the  scope  of  this  work  was  confined  to  the  above 
systems  to  yield  a  concerted  effort  in  an  area  partially  investigated  by 
a  previous  study  [0]. 

There  are  eighteen  (18)  individual  signals  to  be  utilized  in  the 
functional  redundancy  algorithm.  These  signals  would  be  sent  to  a  com¬ 
puter  interface  which  would  provide  sampling  and  A/D  conversion  of  the 
signals,  yielding  algorithm  inputs  in  usable  form.  The  individual  sig¬ 
nals  from  the  four  measurement  systems  are: 

From  the  Inertial  Navigation  System  (INS): 

(1)  Pitch  (e) 

(2)  Roll  (♦) 

(3)  Heading  (^) 

(4)  Acceleration  along  local  horizontal  axis  xh  Uxh) 

(5)  Acceleration  along  local  horizontal  axis  yh  (ayh) 

(6)  Vertical  acceleration  (azh) 
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From  the  Attitude  and  Heading  Reference  System  (AHRS): 

(1)  Pitch  (e* ) 

(2)  Roll  (♦') 

(3)  Heading  (V) 

From  the  Air  Data  Computer  (ADC): 

(1)  Angle  of  attack  (a) 

(2)  Indicated  airspeed  (v^ ) 

(3)  True  airspeed  ( v_ ) 

Q 

(4)  Altitude  (h) 

(5)  Altitude  rate  (h) 

From  the  Automatic  Flight  Control  System  (AFCS)  sensors: 

(1)  Pitch  rate  (wy) 

(2)  Roll  rate  (wx) 

(3)  Yaw  rate  (wz) 

(4)  Normal  acceleration  (az) 

The  three  angles  from  the  INS  are  available  from  g'mbal  resolvers 
or  from  the  gyros  themselves;  the  accelerations  are  taken  from  the  plat¬ 
form  accelerometers,  and  are  thus  coordinatized  in  local  horizontal 
axes.  (The  exact  definition  of  xh  and  yh  in  the  horizontal  plane  would 
depend  on  the  inertial  system  mechanization,  and  can  actually  be  defined 
for  convenience  since  any  choice  would  be  related  to  what  is  actually 
available  by  a  simple,  known  rotation  transformation.)  The  displacement 
gyro  assembly  of  the  AHRS  provides  its  indication  of  the  three  Euler 
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angles.  To  generate  its  five  signals,  the  ADC  processes  inputs  from 
various  air  data  sensors:  the  angle  of  attack  probe  and  associated 
transmitter,  the  temperature  probe  and  its  transmitter,  the  static 
pressure  source,  and  the  pitot  pressure  source  (the  latter  two  typically 
being  coupled  pneumatical ly  to  the  computer).  Finally,  the  AFCS  sensors 
provide  signals  proportional  to  the  body  rates  and  normal  acceleration 
in  vehicle  body  coordinates. 

The  signals  described  above  are  the  nominal  inputs  to  the  failure 
detection  algorithm.  It  may  be  beneficial  to  input  an  indication  of 
commanded  or  actual  control  surface  positions  for  adaptability  purposes, 
as  will  be  discussed  in  Section  III. 7.  However,  the  basic  description 
of  the  system  will  first  consider  only  the  nominal  inputs. 

The  measurement  systems  employed  are  found  in  virtually  all  modern 
aircraft,  and  thus  the  failure  detection  concept  is  applicable  to  any 
particular  vehicle.  To  assure  a  realistic  evaluation  of  the  technique, 
a  particular  aircraft  was  chosen  to  represent  typical  applications;  the 
F-4  chosen  because  of  the  relative  availability  of  data  about  its  per¬ 
formance  and  instrumentation.  A  previously  developed  simulation  model 
of  the  F-4  vehicle  and  its  various  sensor  subsystems  [0]  was  utilized  in 
the  first  phases  of  analysis.  Since  any  simulation  model  is  a  sim¬ 
plification  of  the  real  world  environment,  subsequent  analysis  replaced 
the  simulation  with  actual  data  recordings  from  test  aircraft,  with 
simulated  sensor  failures  added  to  real  data.  This  second  phase  of 
analysis  provided  as  realistic  a  means  of  performance  evaluation  as 
possible  without  actual  sensor  failures  in  flight.  Essentially,  it  was 
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conducted  to  corroborate  the  conclusions  of  the  analysis  based  on  the 
aircraft  simulation  program. 

4.  MAJOR  FAILURE  MOOES 

A  substantial  effort  was  conducted  previously  [  ]  to  delineate  the 
major  failure  modes  of  the  sensor  instrumentation  onboard  a  typical  air¬ 
craft.  These  modes  were  then  included  in  the  simulation  program  used  to 
evaluate  failure  detection  performance  (a  portion  of  this  effort  includ¬ 
ed  the  revision  and  modification  of  the  program  to  provide  a  better  sim¬ 
ulation). 

4.1  SUDDEN  FAILURES  WITH  SUDDEN  EFFECTS 

Certain  failures  affect  sensor  measurements  directly,  so  that  a 
sudden  failure  causes  a  sudden  effect.  Many  failures  involving  the  air 
data  system  are  of  this  type.  These  would  include: 

(1)  Sudden  leak  in  the  static  line:  this  would  cause  a  sudden 
erroneous  measure  of  altitude,  altitude  rate,  and  indicated 
airspeed,  the  error  being  detectable  during  any  portion  of 
the  flight  regime. 

(2)  Sudden  leak  in  the  pitot  line:  indicated  airspeed  would 
undergo  a  sudden  change,  this  error  being  detectable  at  any 
time. 
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(3)  Sudden  increase  in  noise  of  static  pressure  transducer  output: 
would  cause  noisy  measurements  of  altitude,  altitude  rate,  and 
indicated  airspeed,  being  detectable  during  any  portion  of 

fl ight. 

(4)  Sudden  increase  in  noise  of  pitot  pressure  transducer  output: 
would  similarly  cause  a  noisy  indicated  airspeed  signal,  being 
evident  at  any  time. 

(5)  Tachometer  failure:  would  result  in  the  loss  of  altitude 
rate,  being  detectable  only  when  the  aircraft  is  either  as¬ 
cending  or  descending. 

(6)  Bent  angle-of-attack  vane:  would  result  in  a  sudden  increase 
in  the  bias  of  the  angle-of-attack  measurement,  and  would  be 
detectable  during  any  flight  regime;  this  would  also  adversely 
affect  the  computed  indicated  airspeed  generated  in  the  fail¬ 
ure  detection  algorithm. 

(7)  Sudden  increase  in  noise  of  angle-of-attack  output  potentiom¬ 
eter:  angle-of-attack  signal  would  undergo  a  sudden  increase 
in  noise  level,  occurring  during  any  portion  of  flight;  this, 
too,  would  corrupt  the  computed  indicated  airspeed  developed 
in  the  detection  algorithm. 
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(8)  AFCS  normal  accelerometer  pickoff  failure:  would  immediately 
affect  the  computed  indicated  airspeed  created  by  the  model 
reference  of  the  failure  detection  algorithm,  and  this  effect 
should  be  noticeable  at  any  time. 

(9)  Sudden  float  leak  of  an  INS  vertical  accelerometer:  would 
generate  a  sudden  error  in  the  vertical  acceleration  signal, 
and  a  slow  drifting  effect  on  INS  altitude  outputs  as  well. 

Only  the  vertical  accelerometer  is  used  directly  in  the  pre¬ 
sent  failure  detection  algorithm--had  the  INS  accelerometers 
been  used  to  check  the  AFCS  normal  accelerometer,  a  sudden 
failure  of  an  INS  accelerometer  would  yield  a  sudden  error  in 
this  signal  correlation. 

4.2  SUDDEN  FAILURES  WITH  DRIFTING  EFFECTS 

Certain  types  of  failures  do  not  directly  affect  measurements,  so 
that  their  results  are  not  sudden,  but  drifting,  erroneous  signal  lev¬ 
els.  Failure  modes  of  this  form  encompassed: 

(1)  Clogged  static  line  to  ADC:  the  altitude,  altitude  rate,  and 
indicated  airspeed  will  become  erroneous  if  the  vehicle  changes 
altitude  or  airspeed  (neither  of  which  can  be  changed  instan¬ 
taneously,  so  this  is  in  fact  a  drifting  type  effect). 

(2)  Clogged  pitot  line  to  ADC:  indicated  airspeed  will  drift  off 
true  value  if  the  vehicle  changes  airspeed. 
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(3)  Jammed  angle-of-attack  vane:  the  ADC  angle-of-attack  signal 
will  exhibit  a  "drifting"  type  error  as  the  true  angle  of 
attack  varies  in  flight.  (The  simulation  program  was  incapa¬ 
ble  of  producing  this  type  of  failure.) 

(4)  INS  vertical  gyro  torquer  failure:  drifting  of  pitch  and/or 
roll  attitude  indications  would  result,  eventually  corrupting 
all  INS  outputs. 

(5)  INS  heading  gyro  torquer  failure:  heading  measurement  would 
undergo  a  drift,  and  other  INS  outputs  would  be  affected  in 
time. 

(6)  INS  gyro  float  leak:  this,  or  any  other  failure  that  would 
cause  a  center  of  gravity  shift,  will  result  in  acceleration- 
induced  gyro  drifts;  in  level  flight  the  gravity  induced  drift 
affects  the  INS  heading  output,  while  during  a  turn  both  the 
heading  and  pitch  indications  of  the  INS  are  affected;  eventu¬ 
ally,  all  INS  outputs  would  be  adversely  affected. 

(7)  Vertical  gyro  servo  failure:  loss  of  slaving  causes  a  drift 
in  the  AHRS  roll  indication,  so  this  is  detectable  only  during 
relatively  level  flight,  since  the  slaving  loop  is  turned  off 
during  high  rate  maneuvers. 

(8)  Directional  gyro  servofailure:  loss  of  slaving  yields  a  drift 
in  the  AHRS  heading  signal  during  relatively  level  flight. 
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(9)  Failure  of  cutoff  for  vertical  gyro:  if  the  servo  cutoff  sys¬ 
tem  fails  to  operate,  the  AHRS  bank  measurement  drifts  when  a 
nongravitational  acceleration  is  present,  as  during  a  turn. 

(10)  Failure  of  cutoff  for  directional  gyro:  similarly  the  AHRS 
heading  indication  will  drift  under  nongravitational  accelera¬ 
tions. 

(11)  AFCS  rate  gyro  failure:  during  a  period  of  changing  vehicle 
orientation,  a  rate  gyro  failure  (as,  a  pickoff  failure  yield¬ 
ing  no  output  from  the  gyro)  will  cause  the  rate  indication  to 
be  erroneous. 

There  are  also  drifting  failures  that  cause  drifting  effects,  but 
the  simulation  program  does  not  account  for  these  modes.  Nevertheless, 
the  preceding  two  categories  of  failure  modes  should  indicate  the  via¬ 
bility  of  this  failure  detection  concept. 

5.  RESULTS  OF  PREVIOUS  STUDY 

A  nominal  approach  trajectory  involving  level  flight,  final  turn, 
pitchover,  and  descent  was  utilized  as  a  means  of  evaluating  the  per¬ 
formance  of  this  detection  technique.  First,  a  set  of  runs  were  con¬ 
ducted  with  no  failures  simulated,  in  order  to  specify  bounds  on  likeli¬ 
hood  function  values  under  normal  circumstances.  These  then  would  be 
used  as  the  thresholds  beyond  which  a  failure  would  be  declared. 
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Once  this  was  accomplished,  the  same  trajectory  was  flown  with 
failures  simulated  at  various  points.  The  time  to  detection  of  the 
failure  was  then  recorded,  as  was  the  time  to  any  false  alarm. 

Table  I,  taken  from  the  previous  study  [0],  summarizes  the  experi¬ 
mental  results  for  detection  of  sudden  failures  with  sudden  effects. 

The  first  column  lists  the  type  of  failure  simulated  along  with  the  ex¬ 
pected  failure  indications.  The  second  column  denotes  the  portion  of 
the  trajectory  (level,  turn,  or  descent)  during  which  the  failure  oc¬ 
curred.  The  third  column  specifies  the  actual  means  of  simulating  the 
failures  and  the  magnitudes  of  these  failures.  For  those  cases  in 
which  different  magnitudes  are  involved,  the  notation  used  is  b 
=  a  bias,  o  =  the  lo  value  to  specify  the  strength  of  a  Gaussian  noise 
source,  and  e  =  coefficients  of  gyro  or  accelerometer  errors  linear  in 
acceleration.  The  last  two  columns  indicate  the  time  to  detection 
and/or  false  alarms  in  seconds. 

Sudden  changes  in  bias  (due  to  leaks)  or  noise  level  are  readily 
detected  for  static  and  pitot  pressure  sources,  the  detection  being 
more  sensitive  to  altitude  rate  than  altitude  effects  of  such  a  failure 
(static  pressure  failures  did  not  affect  indicated  airspeed  due  to  an 
error  in  the  simulation  program,  which  has  since  been  rectified). 

Both  bias  and  noise  type  failures  on  the  angle-of-attack  measure¬ 
ment  signal  were  detected  for  sufficiently  large  magnitude  failures. 
However,  a  false  alarm  on  airspeed  was  consistently  obtained.  The 
angle-of-attack  value  would  influence  the  vertical  Kalman  filter  and 


14 


AFFDL-TR-76-93 


DETECTION  OF  SUDDEN  FAILURES  WITH  SUDDEN  EFFECTS 


Failure:  Erroneous  Output  Location* 


Massive  leak  in  static  line: 
Altitude;  Altitude  rate 


Massive  leak  in  pitot  line: 
Indicated  airspeed 


Excessive  noise  in  static 
pressure  output  altitude: 
Altitude  rate 


Excessive  noise  in  pitot 
pressure  output:  Indicated 
airspeed 


Tachometer  failure: 
Altitude  rate 


Bent  anqle-of-attack 
vane:  Annie  of  attack 


Simulation 


bp  =  bp  +  50 

bp  *  bp  *  100 
bp  *  bp  *  200 

b  *  b  +  400 
P  P 

b  =  b  +  800 
P  P 


b; +  75 

b*  =  b*  +  1 50 

b*  =  b*  +  300 
P  P 

b*  =  b*  +  600 
P  P 

b*  =  b*  +  1200 
P  P 


Time  Before  Detection 

(seconds)  False  Alarms 


=  400 
P 

■,  =  800 
P 


b  »  b  «■  0.0075 

i  i 

b  =  b  +  0.0150 

b  =  b  +  0.030 

n  f 

b  =  b  +  0.060 


b  =  b  +  0.12 
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TABLE  I  (Concluded) 


Failure:  Erroneous  Output 

- 

Time  Before  Detection 

Location* 

Simulation 

(seconds) 

False  Alarms 

-  0.0075 

» 

-- 

=  0.0150 

- 

Noisy  potentiometer: 

Angle  of  attack 

Turn 

U. 0300 

4.0 

Airspeed 
(7.2  s) 

0.060 

2.4 

Airspeed 
(0.8  s) 

0.120 

0.8 

Airspeed 
(0.4  s) 

Normal  accelerometer 

Turn  J 

.na 

=  -1 

0.2 

pickoff  failure: 

Airspeed 

1 

na 

=  0 

-a 

--  'a  =  0.0025 

33 

31 

rd 

*  ~a  =  0.005 

u 

INS  accelerometer  float 
leak:  Vertical 

Turn  * 

33 

31 

acceleration 

-a 

=  'a  •  0.01 

_  _ 

33 

31 

-a 

=  'a  =  0.02 

33 

31 

-a 

=  "a  0.04 

33 

31 

Level,  turn,  and  descent  locations  in  the  landing  approach  correspond  to  Points  1,  2,  3, 
respectively,  in  Figure  13. 
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airspeed  check  portions  of  the  model  reference  (see  paragraph  2  of 
Section  II),  and  so  such  an  alarm  could  be  expected,  but  after,  rather 
than  before,  the  appropriate  failure  detection. 

It  was  surmised  in  the  report  that  the  vertical  acceleration  errors 
were  not  detected  because  the  thresholds  were  set  at  too  high  a  magni¬ 
tude,  though  not  substantiated  by  further  analysis. 

Table  II  portrays  the  results  of  the  experiments  involving  sudden 
failures  with  drifting  effects.  The  clogged  static  line  was  detected, 
but  the  corresponding  pitot  line  failure  was  not.  In  the  previous  re¬ 
port,  it  was  suggested  that  this  might  be  due  to  the  threshold  on  the 
indicated  airspeed  being  set  too  high.  This  may,  in  fact,  be  the  case, 
but  lowering  it  would  also  tend  to  intensify  the  phenomenon  in  Table  I 
of  an  airspeed  failure  being  declared  before  the  appropriate  angle-of- 
attack  failure  being  detected. 

The  inability  of  the  method  to  detect  INS  gyro  torque  failures  and 
AHRS  gyro  servo  failures  was  attributed  to  the  fact  that  these  would 
cause  low  magnitude  drifts,  on  the  order  of  earth  rate.  No  explanation 
was  offered  for  the  case  of  loss  of  cutoff  for  the  directional  gyro. 

Failures  that  produced  large  drifts  were  readily  detected,  expeci- 
ally  in  the  case  of  an  INS  gyro  float  leak.  A  "false"  alarm  of  INS  bank 
was  indicated  for  all  of  these  test  runs.  Flowever,  a  failure  in  one 
gyro  will  cause  erroneous  output  data  along  other  gimbal  axes  as  well. 
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TABLE  II 

DETECTION  OF  SUDDEN  FAILURE  WITH  DRIFT  EFFECTS 


Failure:  Erroneous  Output 

Location 

Simulation 

Time  Before  Detection 
(seconds) 

False  Alarms 

Clogged  static  line: 

Altitude,  vertical 

Descent 

i  =  100 

1.4,  2.0 

velocity 

P 

Clogged  pitot  line:  i 

Turn 

t:  -  ioo 

ao 

Indicated  airspeed  { 

1 

Descent 

1*  =  100 

on 

— 

INS  vertical  gyro 

torguer  failure:  Pitch, 

Level 

4?  =  1 

ao 

-- 

bank,  or  both 

INS  heading  gyro 

torquer  failure:  Heading 

Level 

c3  '  1 

.°° 

-  “ 

Sfj  *  0.0025 

0.6 

INS  bank  (7.2  s) 

cf,  *  0.00S 

0.4 

INS  bank  (5.0  s) 

INS  gyro  float  leak: 

Level  • 

=  0.01 

0.2 

INS  bank  (3.6  s) 

INS  heading 

cf,  =0.02 

0.2 

INS  bank  (2.8  s) 

1^1  =0.04 

0.2 

INS  bank  (2.0  s) 

*  0.0012 

1.2,  2.2 

INS  bank  (4.0  s) 

=  0.0025 

0.8,  1.6 

INS  bank  (2.8  s) 

INS  gyro  float  leak: 

Turn 

£?,  =  0.005 

0.4,  1.2 

INS  bank  (2.0  s) 

INS  heading,  INS  pitch 

INS  bank  (1.4  s) 

£?,  =  0.010 

0.2,  1.0 

Angle  of 

Attack  (3.8  s) 

Vertical 

Velocity  (8.8  s) 

INS  bank  (0.8  s) 

£?,  =  0.020 

0.2,  0.6 

Angle  of 

Attack  (2.6  s) 

Vertical 

Velocity  (6.2  s) 

Loss  of  cutoff  for 

Turn 

a*  =  ,0° 

4.8 

AHRS 

vertical  gyro:  AHRS  bank 

vg2 

Pitch  (9.6  s) 

Loss  of  cutoff  for 

Turn 

adn  =  100 

directional  gyro: 

ag 

AHRS  heading 

Vertical  gyro  servo 

Level 

a*  = 

« 

failure:  AHRS  bank 

vg2 

Directional  gyro  servo 

Level 

ada  ’ 

-- 

failure:  AHRS  heading 

ag 

Rate  gyro  failure: 

Turn 

■  -1.  °rg  -  0 

0.6 

INS  heading  (0.4  s) 

Rate  gyro 

z  rgz 

INS  pitch  (1.2  s) 

INS  bank  (1.2  s) 

AFFDL-TR-76-93 


and  one  should  expect  such  propagation  of  effects  due  to  a  failure. 

Note  that  these  "false"  detections  occurred  after  the  appropriate  fail¬ 
ure  indications,  and  that  for  large  enough  failures  and  time  for  errors 
to  propagate,  such  errors  propagate  into  other  portions  of  the  model 
reference,  causing  additional  false  alarms. 

A  rate  gyro  failure  caused  an  erroneous  INS  heading  failure  declar¬ 
ation  for  one  algorithm  iteration  before  the  proper  rate  gyro  failure 
was  indicated.  As  was  appropriately  discussed  in  the  previous  report, 
this  was  due  to  the  fact  that  a  failed  rate  gyro  is  indicated  by  a 
number  of  likelihood  functions  surpassing  their  threshold  values.  If 
this  does  not  occur  approximately  simultaneously  (i.e.,  both  within  the 
same  algorithm  iteration  period),  then  incorrect  failure  declarations 
will  result.  "Appropriate  adjustment  of  thresholds  or  provision  for  a 
'yellow  zone1  in  the  detection  logic"  were  suggested  as  means  of  allevi¬ 
ating  this  problem.  The  other  false  alarms  occurred  subsequent  to  the 
proper  declaration,  and  could  probably  be  suppressed  by  appropriate 
logic  design. 

The  previous  study  also  considered  the  computer  requirements  of  the 
functional  redundancy  (also  denoted  as  "internal"  redundancy)  failure 
detection  logic.  Table  III  (from  this  earlier  report)  summarizes  these 
requirements  for  implementations  on  three  representative  computers, 
assuming  that  the  algorithm  would  be  iterated  five  times  a  second.  For 
a  state-of-the-art  computer,  only  3.18  percent  of  real  time  would  be 
consumed  by  this  logic.  Other  requirements  would  include: 
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TABLE  III 

COMPUTER  TIME  REQUIREMENTS  OF  THE  INTERNAL  REDUNDANCY  METHOD 


Time  Requirements 

No.  Required 

PS) 

Operation 

by  Method 

State  of  the  Art 

NDC-1051 A 

SDS-920 

Adds 

600 

1 ,200 

3,600 

9,600 

Multiplies 

320 

3,200 

7,320 

10,240 

Divides 

30 

360 

1,500 

6,720 

Square  roots 

2 

100 

200 

1,000 

Trigonometry 

functions 

10 

500 

1,000 

5,000 

Transfers 
and  tests 

500 

o 

o 

o 

2,000 

4,000 

Total  time 
taken  for  one 
cycle 

6,360 

15,620 

36,560 

x5 

x5 

x5 

Time  required 

for  five  cycles 

31 ,800 

78,100 

182,800 

Percentage  of 
real  time 

3.18 

7.81 

18.3 
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(1)  less  than  2000  words  of  storage 

(2)  an  18-bit  or  longer  wordlength 

(3)  nine  input  channels  A/D  for  attitude  related  quantities  and 
seven  input  channels  A/D  for  translational  motion  related 
quantities 

(4)  simple  no/no-go  output  channel  for  each  of  the  quantities 
checked  by  the  logic. 

From  a  first-iteration  cost-effectiveness  analysis,  it  was  conclud¬ 
ed  that  the  cost  advantage  of  the  functional  redundancy  method  over  a 
hardware  redundancy  approach  would  be  substantial  if  the  algorithm  could 
be  implemented  through  time-sharing  of  an  existing  computer.  If  an  ad¬ 
ditional  computer  were  required  for  these  calculations,  the  cost  benefit 
would  only  be  marginal,  but  the  intention  is  not  to  provide  a  separate 
dedicated  computer  for  this  purpose. 

6.  OBJECTIVES  OF  THIS  INVESTIGATION 

The  previous  study  has  indicated  some  degree  of  feasibility  of 
using  functional  redundancy  to  detect  and  isolate  control  data  sensor 
failures.  A  major  objective  of  this  effort  has  been  to  improve  the 
performance  capabilities  of  the  basic  concept.  In  other  words,  it  is 
desirable  to  minimize  both  the  missed  alarms  and  the  false  alarms  pro¬ 
duced  by  the  detection  logic. 

Means  of  achieving  this  objective  have  included: 


; 
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(1)  Formulation  of  a  systematic  means  of  determining  appropriate 
parameters  for  the  statistical  description  of  noises  and  un¬ 
certainties  corrupting  sensor  outputs,  thereby  attaining  op¬ 
timum  model  references; 

(2)  Exploration  of  alternative  model  references,  and  conducting 
trade-off  analyses  of  performance  improvement  versus  addi¬ 
tional  computer  loading; 

(3)  Development  of  an  initialization  technique  that  can  be  com¬ 
bined  with  simple  model  references  to  provide  overall  per¬ 
formance  comparable  to  that  of  the  more  complex  model  refer¬ 
ences; 

(4)  Investigation  of  alternate,  more  systematic,  means  of  estab¬ 
lishing  maximum  likelihood  estimator  thresholds  for  declaring 
failures; 

(5)  Thorough  analysis  of  likelihood  function  characteristics  under 
normal  circumstances  and  with  failed  sensors,  over  the  enve¬ 
lopes  of  possible  flight  regimes,  to  characterize  the  speci¬ 
fic  aspects  that  differentiate  an  "abnormal"  likelihood  func¬ 
tion  from  a  "normal"  one; 
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(6)  Utilization  of  such  likelihood  function  characterizations  to 
determine  superior  detection  logic,  such  as  establishing 
"tight"  thresholds  with  a  required  number  of  consecutive  it¬ 
erations  for  which  the  threshold  is  surpassed  before  declara¬ 
tion  of  a  failure,  or  threshold  being  adaptive  to  amount  of 
maneuvering  as  indicated  by  commanded  or  actual  control  sur¬ 
face  positions; 

(7)  Determination  of  the  sensitivity  of  detection  performance  to 
system  variations  that  are  within  acceptable  tolerances  (as 
especially  biases); 

(8)  Evaluation  of  the  ability  to  detect  sensor  failures  from  a 
signal  environment  generated  by  a  real  aircraft,  thereby  sub¬ 
stantiating  conclusions  from  the  analysis  based  on  the  digital 
simulation  of  aircraft  and  sensors. 

The  other  major  objective  of  this  effort  has  been  to  develop  the 
failure  detection  algorithm  and  associated  digital  program  to  a  point 
where  it  can  be  used  as  a  systematic  design  tool .  Its  purpose  would  be 
to  aid  the  design  of  an  eventual  implementation  of  a  tuned  and  optimized 
software  package  for  a  particular  application  of  functional  redundancy 
for  failure  detection.  To  meet  this  objective,  the  digital  implementa¬ 
tion  of  the  algorithm  has  been  revised  to  provide  a  maximum  of  design 
flexibility.  Some  of  these  characteristics  are: 
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(1)  The  functional  redundancy  failure  detection  subroutines  can 
be  driven  either  by  a  simulation  of  a  chosen  aircraft  and  in¬ 
strumentation  or  recorded  data  with  simulated  failures  cor¬ 
rupting  the  signals. 

(2)  The  statistical  description  of  sensor  errors  required  for  the 
Kalman  filters  in  the  algorithm  can  be  readily  altered  to  cor¬ 
respond  to  any  specified  sensor  systems,  and  an  associated 
program  has  been  written  to  aid  in  evaluation  of  statistics 

if  they  are  not  available  from  performance  data  or  power  spec¬ 
tral  density  evaluations  of  desired  sensor  systems. 

(3)  The  algorithm  iteration  frequency  can  be  altered. 

(4)  The  number  of  samples  included  in  each  likelihood  function 
evaluation  can  be  set  by  the  engineer. 

(5)  Strengths  of  "pseudonoises,"  used  to  depict  the  uncertainty 
with  which  the  model  references  represent  the  true  physical 
interrelationships,  can  be  optimized  to  yield  the  best  pos¬ 
sible  tracking  ability  of  those  model  references.  Once  the 
optimum  values  are  evaluated,  these  would  be  incorporated 
into  the  onboard  implementation. 
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(6)  For  each  likelihood  function  involved  in  the  detection  logic 
the  threshold  value  beyond  which  a  failure  is  declared  can 
be  changed  through  a  data  input  to  the  program. 

(7)  Similarly,  the  "time  to  failure  declaration"  parameter,  spe¬ 
cifying  the  time  (or  number  of  iteration  periods)  that  a 
threshold  must  consistently  be  surpassed  before  declaring  a 
failure,  can  be  redefined  for  each  likelihood  function  by 
means  of  data  input. 

To  facilitate  interpreting  the  influence  of  the  various  control¬ 
lable  parameters,  a  substantial  number  of  outputs  are  available  from  a 
single  run  of  the  computer  program,  in  both  printout  and  plot  form. 
These  include: 

(1)  For  each  Kalman  filter  incorporated  in  the  design,  the  differ 
ence  between  a  filter  estimate  and  the  "true"  value  of  that 
corresponding  variable  (available  only  when  the  aircraft  and 
instruments  are  simulated,  not  when  real  data  tapes  are  used) 
is  printed  and  plotted  as  a  function  of  time. 

(2)  The  above  can  be  compared  to  printouts  and  plots  of  the  cor¬ 
responding  standard  deviations  (one  sigma  values)  generated 
through  the  state  error  covariance  matrix  propagated  by  the 
Kalman  filter. 
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The  pseudonoises  can  be  adjusted  until  the  true  differences  and  one  sig¬ 
ma  values  correspond:  such  that  95%  of  the  "true  difference"  values  are 
within  the  2o  envelope,  or  99%  are  within  a  3o  envelope.  For  this  pur¬ 
pose,  plots  of  the  "true  differences"  and  la  values  from  a  number  of 
simulation  runs  will  be  more  useful  than  printouts,  and  these  are  gen¬ 
erated  by  the  program. 

(3)  Printouts  and  plots  of  the  individual  likelihood  functions 
utilized  in  the  detection  algorithm  are  generated.  The  plots 
are  especially  useful  in  discerning  the  salient  features  of 
the  likelihood  functions  under  normal-  and  failed-sensor  con¬ 
ditions,  which  would  be  instrumental  in  setting  threshold  and 
time-to-fai lure-declaration  parameters. 

(4)  Printouts  of  threshold  values,  time-to-failure-declaration 
parameters,  and  time  and  type  of  failure  declared  during  a 
simulated  or  real  flight  are  outputted. 

(5)  Single  likelihood  function  terms  (N  of  which  are  added  to  form 
the  likelihood  function)  and  corresponding  squared  residuals 
are  presented  to  aid  the  analysis  of  a  large  magnitude  likeli¬ 
hood  function  if  and  when  it  occurs. 

(6)  The  minimum  and  maximum  likelihood  function  values  in  the 
most  recent  N  iterations,  where  N  is  adjustable,  expedite 
the  final  selection  of  thresholds  and  time-to-failure-declar- 
ation  values. 
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(7)  Periodically,  all  pertinent  simulation  (or  real  environment) 
data  is  printed  out  in  addition  to  the  model  reference  and 
likelihood  function  performance  data. 

Various  modes  of  usage  of  this  failure  detection  concept  were  in¬ 
vestigated.  First,  the  types  of  failures  more  readily  or  appropriately 
detected  by  other  means  were  delineated.  Thus,  the  eventual  implementa¬ 
tion  would  operate  in  conjunction  with  the  initialization  procedures  pro¬ 
posed  in  this  report,  BIT,  reasonableness  tests,  deterministic  detection 
logic,  and  other  methods.  Failures  can  often  be  detected  before  being 
completely  isolated,  so  different  means  of  annunciating  failures  were 
studied.  Once  a  failure  is  declared  and  isolated,  that  sensor  data  can 
either  be  corrected  (if  possible)  or  removed  from  the  data  stream  alto¬ 
gether,  and  this  aspect  has  also  been  analyzed.  Finally,  if  a  sensor 
has  failed,  there  may  be  circumstances  under  which  testing  for  recerti¬ 
fication  of  that  sensor  would  be  warranted,  so  means  of  performing  this 
function  were  studied.  The  complexity  of  the  algorithm  can  range  from 
very  simple  to  very  sophisticated,  and  the  design  philosophy  of  building 
the  simplest  system  that  provides  adequate  performance  for  a  particular 
application  is  applied  throughout. 

This  report  attempts  to  demonstrate  the  performance  capabilities 
of  the  functional  redundancy  concept  in  detecting  and  isolating  sensor 
failures.  Further,  it  depicts  the  manner  in  which  this  concept  would 
be  used  in  conjunction  with  other  means  of  detecting  failures  and  a  sys¬ 
tematic  method  of  reconfiguring  the  overall  data  system  once  failures 
are  detected.  Once  the  merits  of  the  functional  redundancy  concept 
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have  warranted  its  use  in  a  fault  tolerant  system,  the  design  tool  de¬ 
veloped  herein  can  be  exploited.  Thus,  a  viable,  cost-effective  failure 
detection  concept  is  presented,  along  with  a  means  of  incorporating  it 
into  a  total  data  system  structure. 
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SECTION  II 

THEORETICAL  DEVELOPMENT 

1.  FUNDAMENTALS  OF  KALMAN  FILTERING  AND  LIKELIHOOD  FUNCTIONS 

The  concept  of  functional  redundancy  as  a  means  of  detecting  sensor 
failures  is  dependent  upon  the  usage  of  functional  relationships  among 
measured  quantities  as  the  basis  of  a  model  reference.  Driving  such  a 
model  with  certain  measured  values  yields  model -referenced  estimates  of 
other  quantities,  whose  measured  values  are  available  from  other  sensors. 

A  substantial  number  of  functional  relationships  which  can  be  em¬ 
ployed  are  in  the  form  of  linear  differential  equations  driven  by  white 
Gaussian  disturbances.  In  this  case,  the  Kalman  filter  is  the  appropri¬ 
ate  model  reference  to  use.  Essentially,  a  Kalman  filter  is  a  data  pro¬ 
cessing  algorithm  that  generates  the  maximum  likelihood  estimate  of  the 
state  of  a  linear  dynamic  system  model,  conditioned  on  all  observed  data 
up  to  the  time  the  estimate  is  made.  The  next  section  describes  the 
fundamentals  of  a  Kalman  filter  implemented  in  discrete  time;  i.e., 
sampled-data  measurements  are  made  periodically  and  incorporated  into 
the  filter.  This  is  appropriate  since  the  filter  will  be  implemented  on 
a  digital  computer,  an  inherently  discrete-time  device. 

1.1  THE  DISCRETE-TIME  KALMAN  FILTER 

It  will  be  assumed  that  modelling  techniques  have  produced  an 
adequate  system  description  in  the  form  of  a  linear  difference  equation, 
driven  by  a  combination  of  known  inputs  and  white  Gaussian  noise. 

Linear  measurements  are  made  upon  the  actual  system  variables,  and  these 
are  corrupted  by  white  Gaussian  noise. 

Thus,  the  system  state  is  described  by 

x(i+l)  =  $  ( i + 1 ,  i )  x  ( i )  +  B(i )u(i )  +  G(i)w(i)  (1) 

and  the  measurement  on  the  system  at  time  instant  i  is 

z(i)  =  H(i)x(i)  +  v(i)  (2) 

in  which  are  defined  the  vector  variables 
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x ( i )  =  n  -  dimensional 
uj i )  =  r  -  dimensional 
w(i )  =  s  -  dimensional 
_z(i )  =  m  -  dimensional 
v(i )  =  m  -  dimensional 


state  vector  at  time  instant  i 
deterministic  input 
driving  noise 
measurement  vector 
measurement  noise 


and  the  system  matrices 


$(i+l,i)  =  n-by-n  state  transition  matrix 
B(i)  =  n-by-r  deterministic  input  matrix 
G(i)  =  n-by-s  noise  input  matrix 
H(i)  =  m-by-n  measurement  matrix 


It  will  be  assumed  that  w(i)  and  v^(i)  form  independent  zero  mean 
white  noise  sequences,  each  having  a  Gaussian  density  with  known  co- 
variance: 


E[w( i ) ]  =  0 


(3) 


E[v(i)]  =  0 


(4) 


T  (  Q(i)  i  =  j 

E[w( i )w(j ) ' ]  = 

0  i  f  j 


(5) 


T  I  R(i)  i  =  j 

E[v(i)v(j)T]  « 

0  i  t  j 


(6) 


E[w(i)v(j)T]  =  0 


(7) 
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£(i)  is  a  positive  semidefinite  s-by-s  matrix,  and  R(i)  is  a  posi¬ 
tive  definite  m-by-m  matrix  (all  components  of  the  measurement  vector 
are  corrupted  by  white  noise). 

The  state  dynamic  relation,  (eq.  1),  is  valid  for  all  time  i  >  0, 
once  an  initial  condition,  x(0),  is  specified.  Since  this  value  is  not 
precisely  known,  it  will  be  modelled  as  a  random  variable  with  a  Gauss¬ 
ian  probability  density  parameterized  by  a  mean  x(0)  and  a  covariance 

Po- 


For  a  system  modelled  in  this  manner,  the  Kalman  filter  updates  the 
state  and  error  covariance  estimates  at  a  measurement  sample  time  by 

x(i)  =  x(i)  +  K(i)[z(i)  -  H(i)x(i)]  (8) 

P(i)  =  M(i)  -  K(i)H(i)M(i)  (9) 

where 

K(i)  =  M(i)HT(i)[H(i)M(i)HT(i)  +  R(i)]'1  (10) 

The  estimates  x(i)  and  x(-j)  are,  respectively,  the  state  estimates  at 
time  instant  i,  before  and  after  the  measurement  zji)  is  incorporated; 
similar  meaning  pertains  to  the  error  covariances  M(i)  and  P(i),  respec¬ 
tively. 

There  are  alternate  forms  of  equation  (9)  that  are  theoretically 
equivalent  but  different  computationally  due  to  finite  computer  word- 
length.  One  such  form  would  be 

P(i)  =  [X  -  K(i)H(i)]M(i)[l  -  K(i)H(i)]T  +  K( i )R( i )KT( i )  (11) 

Whereas  (9)  is  often  the  small  difference  of  large  numbers  (especially 
if  the  measurements  are  very  accurate),  (11)  is  the  sum  of  small,  sym¬ 
metric  terms  that  assures  positive  definiteness  of  the  resulting  P(i). 
Also,  it  is  less  sensitive  to  arithmetic  truncation  or  small  errors  in 
the  computed  value  of  K(i)  than  other  update  equations.  However,  it 
requires  considerably  more  computation,  so  a  performance  trade-off  would 
be  necessary  to  determine  if  it  warrants  usage.  Because  computer  memory 
and  time  are  critical,  the  lower  triangular  form  of  equation  (9),  possi¬ 
bly  with  double  precision  computations,  will  probably  be  employed. 
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To  propagate  the  estimate  to  the  time  of  the  next  measurement 
sample,  the  filter  relations  are 


x  ( i  + 1 ) 

=  |(i+l , i )x(i )  +  B(i )u( i ) 

(12) 

M(  i+1 ) 

=  v(i+l,i)P(i)iT(I+l,i)  +  G(i)Q(i)GT(i) 

(13) 

These  recursive  relationships  are  initiated  from  the  assumed 
density  that  describes  the  a  priori  knowledge  of  the  state: 

Gauss- 

x(0)  = 

*o 

04) 

P(0)  = 

P 

“0 

(15) 

1.2  DISCRETE-TIME  REPRESENTATION  OF  CONTINUOUS-TIME  DYNAMIC  SYSTEMS 

The  previous  section  assumed  a  system  description  in  the  form  of  a 
linear  difference  equation.  On  the  other  hand,  the  dynamic  relation¬ 
ships  to  be  employed  are  differential  equations.  Thus,  one  requires  a 
discrete-time  system  model  that,  as  seen  from  the  periodic  (sampled- 
data)  measurements,  yields  equivalent  system  dynamics. 

Let  the  continuous-time  model  of  system  dynamics  be 

X(t)  =  F(t)x(t)  +  B(t)u(t)  +  G( t)w(t)  (16) 

where  the  differential  equation  for  the  state  x(t)  is  driven  by  known 
inputs  u(t)  and  a  Gaussian  white  noise  w(t)  (such  a  noise  does  not  exist 
in  nature  but  the  model  is  often  adequate).  This  relationship  could 
also  be  modelled  somewhat  more  precisely  by  a  stochastic  differential 
equation,  but  the  above  relationship  will  be  employed.  Let  w(t)  have 
mean  zero  and  covariance  Q(t),  (t  -  t)  with  Q.(t)  chosen  to  duplicate  the 
low  frequency  power  spectral  density  of  the  actual  noise  entering  the 
system: 

E[w( t )]  =  0 

E[w(t1  )wT(  t2 )  ]  =  S(t1)<5(t1-t2) 
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Assume  that  at  time  instant  i  a  measurement  of  the  form  equation  (2)  is 
taken.  Further  assume  that  the  input  u(t)  is  (essentially)  constant 
between  sample  times  (i.e.,  over  a  single  algorithm  update  period). 

Under  these  assumptions,  the  values  of  $  (i+l,i),  B(i).  and  G(i )Q(i )GT(i ) 
required  in  equations  (12)  and  (13)  for  propagating  the  state  estimates 


can  be  found  by  integrating  []. 

i(t,t1 )  =  f.(t)v(t,ti )  (19) 

gt  D(t,ti)  =  B(t)  +  F(t)D(t,ti)  (20) 

^  N(t,ti)  =  F(t)N(t,t.)  +  N(t,ti)FT(t)  +  G(t)Q(t)GT(t)  (21) 

from  the  initial  conditions 

i(ti,ti)=i  (22) 

D(ti,ti)-0  (23) 

N(t1,ti)=0  (24) 

to  the  time  of  the  next  measurement,  and  then  setting 

!(1+1,1)  =  i(t1+1,ti)  (25) 

1(1)  =  D(t.+1,ti)  (26) 

G(i)Q(i)GT(i)  =  N(ti  +  rti)  (27) 
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These  relations  specify  the  discrete-time  model  that  duplicates  the 
dynamic  behavior  of  a  given  linear,  continuous-time  system  observed  in 
sampled  data  fashion. 

For  applications  in  which  the  sample  period  is  short  compared  to 
the  dynamic  system's  natural  modes,  first  order  approximations  to  the 
solution  of  these  differential  equations  will  often  suffice.  These 
approximations  are,  for  a  sample  period, 


*(1+1,1)  =  I  +  £(  t  .j )  AT 

(28) 

B(i)  =  BU^AT 

(29) 

)Q(i)GT(i)  =  G(ti)a(ti)GT(ti)AT 

(30) 

Such  an  approximation  would,  however,  be  maintained  subject  to  the  ade¬ 
quacy  of  resulting  filter  performance. 

1.3  EXTENDED  KALMAN  FILTER  FOR  SYSTEM  WITH  NONLINEAR  DYNAMICS 

Suppose  a  system  were  described  adequately  by  a  nonlinear  dynamic 
relationship  instead  of  a  linear  one:  let  the  system  state  equation  (1) 
be  replaced  by 

x(i+l)  =  f(x(i),u(i),w(i)]  (31) 

where  x(i),  u(i),  and  w(i)  assume  the  same  meaning  as  in  Section  II, 

1.1.  For  the  current  purposes,  consider  a  linear  measurement  as  in 
equation  (2). 

To  propagate  the  filter  estimate  to  the  time  cf  the  next  measure¬ 
ment  sample,  equation  (12)  would  be  replaced  by 

x(i+l)  =  f[x(i),u(i),0]  (32) 
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In  order  to  propagate  the  covariance  matrix,  as  in  equation  (13),  both 
<j>  i+l,i)  and  G(i)  must  be  evaluated.  These  are  obtained  by  linearizing 
f  (x,  ij,  w)  about  the  most  recent  values  of  x,  £,  and  mean  value  of  w 
(the  zero  vector).  Thus,  the  component  in  the  j-th  row  and  k-th  row  of 
these  matrices  would  be  computed  as 


Vi+M) 


9f,(x,u,w) 

3x, 


x  =  x(i ) 
u  =  u  ( i ) 
w  =  0 


(33) 


3f  .  (x ,u ,w) 

Gjk(i> ' 


x  =  x(i ) 
u  =  u(i ) 
w  =  0 


(34) 


The  updates  at  measurement  times  are  identical  to  equations  (8) 
through  (11),  and  the  initial  conditions  would  be  given  by  equations 
(14)  and  (15). 


1.4  LIKELIHOOD  FUNCTION  STATISTICAL  TESTING 

The  model  reference  (Kalman  filter  or  other  functional  relationship 
model  reference)  provides  outputs  in  the  form  of  estimates  of  the  values 
of  certain  variables  in  the  system  dynamics.  These  estimates  are  com¬ 
pared  to  measured  values  of  the  same  quantities  to  create  error  signals. 
Some  form  of  test  is  required  to  deduce  from  the  characteristics  of 
these  error  signals  whether  something  is  abnormal  in  the  system,  i.e, 
whether  a  failure  has  occurred. 


Generation  of  a  likelihood  function  for  the  time  history  of  each  of 
these  error  signals  provides  one  means  of  making  such  a  statistical 
test.  Conceptually,  the  N  most  recent  error  signal  values  are  examined 
to  determine  whether  they  differ  significantly  from  a  statistical  de¬ 
scription  of  their  values,  assuming  no  sensor  failures.  The  number  of 
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values  utilized,  N,  can  be  varied  to  obtain  reasonable  performance. 

More  than  one  would  be  desirable  to  preclude  failure  declarations  due  to 
single  error  samples  of  large  magnitude:  consistently  large  errors 
indicate  abnormalities,  whereas  individual  samples  of  large  magnitude 
are  to  be  expected.  Using  all  samples  from  initial  time  would  make  the 
likelihood  function  less  sensitive  to  sensor  failures  as  time  progressed. 
Consequently,  a  "moving  window"  of  the  N  most  recent  samples,  where  N 
might  be  on  the  order  of  5  to  20,  will  be  considered. 

Let  e(i)  be  a  given  error  signal  at  time  instant  i.  Then  the  con¬ 
ditional  joint  probability  density  function  of  the  most  recent  N  error 
values,  conditioned  on  previous  error  values,  would  be 

p[e(i),  e(i-l),  ...,  e(i-m+l ) |e(i-m) ,  ...e(l)] 

where  p[x|y]  is  the  conditional  probability  of  the  variable  x,  condi¬ 
tioned  on  the  value  of  y.  (To  be  precise,  a  distinction  should  be  made 
between  parameters  used  to  describe  a  density  function  and  actual  re¬ 
alized  values,  but  this  will  not  be  explicit  in  our  notation).  The 
particular  choice  of  this  conditional  density  may  not  be  entirely  clear, 
but  it  is  well  motivated  by  estimation  theory. 

Bayes'  Rule  for  conditional  density  functions  states  that 

p[a,b|c]  =  p[a|b,c]p[b'c]  (35) 

Applying  Bayes'  Rule  to  the  given  density  function  yields 

p[e( i ) ,e(i-l ) , . . . ,e( i-m+1 ) |e(i-m) , . . . ,e( 1 )] 

(36) 

=  p[e(i ) | e ( i - 1 ) , . . . ,e(l  )]p[e(i-l ), . . .  ,e(i-m+l ) |e(i -m) , . . . ,e(l )] 

Bayes'  Rule  can  then  be  applied  to  the  rightmost  density  in  equation 
(36)  to  expand  the  result  further.  Iterating  on  this  procedure  yields 

p[e(i),e(i-l),... ,e(i-m+l ) |e(i -m) , . . . ,e(l)] 

=  n  p[e( j )  |e( j-1 ) , . . .e( 1 )]  (37) 

j=i-m+l 
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which  is  the  product  of  the  conditional  densities  of  the  N  most  recent 
error  values,  each  conditioned  on  the  previous  time  history  of  error 
values. 


The  appropriate  likelihood  function  for  this  application  is  the 
natural  logarithm  of  the  conditional  probability  density  given  by  equa¬ 
tion  (37): 


Lf,(i)  =  In  p[e(  i ) , . .  .e(i  -m+1 ) ;  e(  i-m) , . . .  ,e(  1 )] 


In  p[e( j )  e(j-l ),. . .  ,e(l )] 

j=i-m+l 


(38) 


If  the  error  sequence  were  in  fact  a  set  of  independent,  zero-mean, 
Gaussian  random  variables,  this  expression  could  be  written  as 


LN(i> 


In 


j=i-m+l 


(2ti)1/2  o(j) 


exp 


C2(,i)/'2(j) 


(39) 


where  o(j)  is  the  estimated  variance  of  the  j-th  sample  and  £(j)  is  a 
dummy  variable  used  to  define  the  density  of  e(j).  Substituting  the 
realized  value  of  the  N  most  recent  e(j)  values  into  this  expression 
yields  the  likelihood  function  evaluated  for  data  actually  observed  as 

LN(i)  =  -  |  In  2tt  -  I  lno(j)  -  1  l  [e2(j)/o2(j)]  (40) 

j  =  i-m+l  j  =  i -m+1 


Thus,  the  likelihood  function  could  be  evaluated  approximately  as 


Ln(1)  =  LN(1-1)  -  L  e2(i )/a2( i )]  +  1  [e2(i-m)/a2(i-m)]  (41) 

This  relationship  could  be  used  after  the  first  N  measurements  had  been 
made  to  initialize  the  likelihood  function  value. 


AFFDL-TR-76-93 


It  can  be  shown  that,  if  the  error  sequence  were  actually  the  se¬ 
quence  of  residuals  from  a  Kalman  filter  whose  state  equations  dupli¬ 
cated  the  real  system  environment  and  whose  input  were  a  scaler  mea¬ 
surement  of  the  form 

z(i)  =  hT(i)x(i)  +  v(i)  (42) 

then  the  density  p[e(j) |e(j-l ),. . . ,e(l )]  required  in  equation  (38)  is  a 
Gaussian  density  with  mean  hT(j)x(j)  and  variance  [hT( j )M( j )h( j )  +  R(j)], 

_  o 

where  x(j)  and  M(j)  have  been  defined  previously.  Thus,  the  e  (j)  re¬ 
quired  in  equation  (41)  is  the  squared  residual, 

e2(j)  =  [z(j)-hT(j®j)]2  (43) 

and  the  l/o2(j)  term  is  equal  to 

l/a2(j)  =  l[hT(j)M(j)h(j)  +  R( j ) ]  (44) 

This  quantity  is  available  from  the  Kalman  filter  computations,  as  seen 

from  equation  (10).  If  more  than  a  single  measurement  were  incorporated 

? 

into  the  filter,  the  desired  1/a  (j)  terms  could  be  evaluated  as  the 
diagonal  terms  of  [H(j)  M(j)  H^(j)  +  R(j)]'1  (thereby  neglecting  off- 
diagonal  coupling). 

The  assumption  that  the  filter  dynamics  model  duplicates  the  true 
system  dynamics,  and  thus  the  assumption  that  the  residual  sequence  is 
white,  zero  mean,  and  Gaussian,  is  assuredly  violated  for  any  reasonably 
dimensioned  filter.  However,  substantial  effort  will  be  expended  to 
minimize  this  violation,  thereby  providing  adequate  performance.  Simu¬ 
lated  failures  involving  biases,  scale  factors  and  drifts,  as  well  as 
random  noise,  will  demonstrate  how  adequate  the  performance  is. 

In  order  to  generate  the  likelihood  functions  online,  the  N  most 

2  2 

recent  squared  error  signals  e  (j)  and  estimated  variances  o  (j)  are 
maintained  in  computer  storage.  As  time  progresses,  equation  (41)  is 
used  to  update  each  likelihood  function  at  each  sample  time.  As  can  be 
seen  from  either  equation  (40)  or  (41),  if  e  (j)  becomes  consistently 
larger  than  the  estimated  variance,  then  the  likelihood  function  will 
become  more  and  more  negative.  A  negative  threshold  level  that  the 
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likelihood  function  should  remain  (i.e.,  of  smaller  absolute  magnitude) 
can  be  determined,  and  then  a  failure  can  be  declared  if  the  value  goes 
beyond  this  threshold.  By  controlling  the  threshold  level,  the  number 
(N)  of  samples  comprising  a  likelihood  function,  and  possibly  the  time 
interval  over  which  the  threshold  is  exceeded  before  declaring  a  failure, 
the  number  of  false  alarms  and  missed  alarms  can  be  minimized.  The  last 
control  parameter,  the  time-before- failure-declaration,  allows  tighter 
thresholds  that  do  not  cause  false  alarms  due  to  transitory  threshold 
surpassing;  this  will  be  discussed  more  extensively  in  Section  III. 2. 5. 

Note  that  the  error  signals  that  are  not  generated  by  Kalman  fil¬ 
ters  also  require  estimated  variances  in  the  likelihood  function  eval¬ 
uation.  Since  dynamic  propagation  is  not  involved,  these  can  be  pro¬ 
vided  by  a  priori  estimated  values  of  appropriate  variance  magnitudes. 

2.  MODEL  REFERENCES 

This  section  describes  the  proposed  functional  relationships  to  be 
employed  in  the  detection  algorithm.  These  will  be  in  the  form  of  three 
sets  of  dynamic  relations,  which  will  serve  to  develop  three  Kalman 
filters,  and  an  algebraic  relationship  for  indicated  airspeed. 

2.1  MODEL  REFERENCE  RELATING  INS  ATTITUDES  AND  AFCS  BODY  RATES 

The  Automatic  Flight  Control  System  uses  three  rate  gyros  to  mea¬ 
sure  pitch  rate,  roll  rate,  and  yaw  rate  for  aircraft  stabilization. 

This  rate  information  is  functionally  related  to  the  vehicle  attitude, 
which  is  measured  by  the  Inertial  Navigation  System.  Let  x,  y,  and  z  be 
the  aircraft  angular  rotation  rates  about  longitudinal  (nose),  lateral 
(right  side),  and  normal  (underside)  axes;  and  e,  and  <p  be  yaw, 
pitch,  and  roll  angles,  respectively.  Then,  the  functional  relation¬ 
ships  are 

d'J  .  ,.r. 

=  wy  cos  v  -  wz  sin  !  (45) 
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d, 

dt 


sin  |  +  wz  tan  $  cos  $ 


(46) 


(47) 


These  equations  form  the  basis  of  the  mathematical  model  to  be 
employed  in  the  AFCS-INS  attitude  Kalman  filter.  Equation  (47)  is  in¬ 
determinate  if  the  pitch,  0,  is  90°  (gimbal  lock  condition);  the  algor¬ 
ithm  might  be  disenabled  temporarily  if  0  reaches  the  close  vicinity  of 
this  value.  Let  the  Euler  angles  0,  <t> .  and  i}>  be  the  three  state  vari¬ 
ables  of  the  model : 


The  rate  gyro  outputs  are  then  the  noise-computed  inputs  to  this  dynamic 
system.  Thus,  let  the  rate  gyro  outputs  be  denoted  as  u^ ,  u^,  and  u^: 


Thus  the  true  rates  are  corrupted  by  the  white  Gaussian  noise  w,  used  to 
model  the  noise  and  uncertainty  inherent  in  the  rate  gyros.  Using  this 
notation,  the  dynamics  to  be  incorporated  into  the  Kalman  filter  are 
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As  pointed  out  in  the  previous  report  [],  the  accuracy  of  this  ap¬ 
proximation  is  improved  if  the  value  of  u^(t)  at  the  midpoint  of  an  inte¬ 
gration  interval  were  used  instead  of  its  value  at  the  beginning  of  the 
interval.  At  time  instant  (i+1),  uh'  +  l)  is  available  as  a  measurement 
from  the  rate  gyros,  and  u^(i)  can  be  retrieved  from  computer  storage, 
and  the  average  value  1/2  [u(i+l)  +  u(i)]  generated  and  used  in  place  of 
u(i )  in  equation  (52) . 


There  are  more  accurate  methods  of  updating  nonlinear  dynamic  equa¬ 
tions,  but  unless  this  technique  does  not  yield  adequate  performance,  it 
would  be  best  to  use  a  simple  routine  that  does  not  burden  computer  time 
or  memory. 
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The  attitude  measurements  from  the  INS  are  also  corrupted  by  noise 
and  uncertainties,  and  thus  its  outputs  at  a  given  time  instant  i,  de¬ 
noted  as  z(i),  are  modelled  as 


where  v(i)  is  a  zero  mean,  white,  Gaussian  noise.  It  is  assumed  to  be 
uncorrelated  with  w(i),  so  that  the  statistics  required  for  the  Kalman 
filter  are  given  by  appropriate  R(i)  and  Q(i)  matrices,  the  covariances 
of  vji)  and  w(i),  respectively. 

Thus,  the  overall  mathematical  model  to  be  used  in  formulating  the 
Kalman  filter  would  be  as  in  Figure  1. 


Let  the  actual  attitude  measurements  from  the  INS  be  denoted  as 

6  INS ( i )  ’  ^INS(i)’  anci  ^INS(i)-  Generated  by  the  Kalman  filter  are  pre¬ 
dictions  of  what  these  values  should  be,  before  the  measurements  are  ac¬ 
tually  taken;  let  x^(i),  x^Ci),  and  x^O')  represent  these  values.  Then 
the  three  residuals  of  interest  are: 

el ^  ^  =  elNS( i )  "  X1 ^  (54a) 

e2(i)  =  'J’iNs(i)  '  x2^  (54b) 

e3(i)  =  ^INS  ( i )  "  *3^  ^54c) 
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2.2  MODEL  REFERENCE  FOR  AHRS  ATTITUDES  AND  AFCS  BODY  RATES 

The  same  basic  model  reference  is  used  to  relate  the  AFCS  gyro  body 
rates  and  the  attitude  indication  of  the  Attitude  and  Heading  Reference 
System.  By  replacing  the  subscripts  1,  2,  and  3  by  the  indices  4,  5, 
and  6  and  using  the  AHRS  measurements  to  drive  the  filter,  the  residuals 
that  are  generated  are 


e4^ 1  ^  =  'AHRS(i) 

-  x4(i) 

(55a) 

e5^  =  $AHRS(i) 

-  x5(i) 

(55b) 

e6(l^  =  ^AHRS(i) 

VO 

X 

(55c) 

2.3  MODEL  REFERENCE  FOR  AIRCRAFT  VERTICAL  MOTION 

A  model  reference  resembling  a  baro-inertial  altimeter  can  be 
employed  to  detect  failures  in  the  altimeter,  vertical  velocity  indi¬ 
cation,  INS  vertical  acceleration  output,  and  angle-of-attack  sensor. 

The  model  reference  is  incorporated  into  a  three-state  Kalman  filter, 
and  the  filter  residuals  are  monitored  to  accomplish  the  failure  de¬ 
tection. 

Figure  2  portrays  the  mathematical  model  upon  which  the  Kalman 
filter  is  based.  The  INS  accelerometer  output  is  modelled  as  the  true 
specific  gravity  plus  a  white  Gaussian  noise  (the  zh  axis  points  down¬ 
ward,  thus  causing  the  negative  sign);  the  noise  and  the  value  of  gra¬ 
vity  are  subtracted  from  that  accelerometer  output  to  yield  the  "true" 
vertical  acceleration.  This  is  integrated  twice  to  yield  altitude, 
which  is  then  put  through  a  first  order  lag  to  model  the  lag  between  the 
altimeter  reading  and  the  true  altitude.  The  three  state  variables  are 
identified  in  the  figure  as  Xy  =  lagging  altitude,  Xg  =  true  altitude, 
and  Xg  =  true  vertical  velocity. 
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The  measurements  are  corrupted  by  white  Gaussian  noise,  and  are 
comprised  of  z^  =  measured  (lagging)  altitude  from  the  altimeter,  Zg  = 
vertical  velocity  measurement  to  be  discussed  subsequently,  and  z^  = 
measured  vertical  velocity  available  from  the  altimeter. 


Thus,  the  mathematical  model  is 


~  — 

— 

H  1 

—  ~ 

x7 

-a 

a 

0 

*7 

0 

x8 

= 

0 

0 

1 

00 

X 

+ 

0 

_x9_ 

0 

0 

0 

x9 

1 

90  +  w]  (56) 


A  simple  approximation  to  the  equivalent  discrete  system  for  propagating 
estimates  between  update  times  would  be 


x?(i+l) 

e'aT  (l-e'aT)  T  +  I  (e“aT-l) 

x?(i) 

X8(i+D 

= 

0  1  T 

x8(i) 

xg(i+l ) 

0  0  1 

Xg(i) 

(57) 
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This  is  in  the  form  of  x(i+l)  =  $(i+l,i)  x(i)  +  B(i)  u(i)  +  G(i)  w(i) 
where  B(i)  =  G(i).  As  mentioned  previously,  by  employing  the  average 
value  of  az>i  over  an  interval  instead  of  its  value  at  the  beginning  of 
the  interval,  i.e.,  replacing  azh(i)  by  1/2  [az^(i)  +  dZh(i+1)]  when 
propagating  to  time  instant  (i+1),  superior  integration  accuracy  is 
obtained. 

Two  formulations  of  the  measurement  vector  are  possible,  one  com¬ 
posed  of  z.j  and  Zg  and  the  other  including  Zg  as  well.  The  measurements 
z-j  and  Zg  are  the  altitude  and  vertical  velocity  derived  from  the  same 
source,  barometric  altitude  determined  from  the  static  pressure  source. 
Hence,  a  failure  in  this  single  source  would  invalidate  both  signals, 
and  so  the  first  formulation  uses  a  vertical  velocity  measurement  in¬ 
dependent  of  the  altitude  reading,  Zg.  Thus,  an  inconsistency  between 
two  sources  of  information  could  be  detected.  The  second  formulation 
includes  both  vertical  velocity  indications:  it  could  respond  more 
rapidly  to  pressure  source  failures,  but  performance  was  not  substan¬ 
tially  different.  Consequently,  the  simpler  two-measurement  case  will 
be  depicted  throughout  the  report. 

The  independent  vertical  velocity  signal  is  obtained  by  means  of 
the  equation 

h  =  v  (cos  a  sin  8  -  sin  a  cos  0  cos  $)  (58) 

a 

Measured  values  of  pitch,  8,  and  roll,  $,  are  available  from  the  INS, 
and  values  for  true  airspeed,  v  ,  and  angle  of  attack,  a,  are  taken 

a 

from  the  Air  Data  Computer.  Under  most  flight  regimes,  the  sensitivity 
of  the  computed  h  to  errors  in  v  is  negligible,  so  that  a  reasonableness 

a 

check  on  v  is  sufficient  to  ensure  confidence  in  its  contribution  to 
equation  (58).  (Logic  could  disenable  failure  declarations  for  regimes 
of  high  sensitivity  to  v  .)  The  integrity  of  INS  pitch  and  roll  angles 

a 

can  be  checked  by  the  INS-AFCS  Kalman  filter  portion  of  the  detection 
algorithm.  Therefore,  any  discrepancy  between  the  computed  h  value 
(considered  a  measurement)  and  the  model  reference  estimate  Xg  can  be 
attributed  to  a  faulty  angle-of-attack  indication. 
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Referring  to  Figure  2,  the  two  formulations  can  be  summarized  by 


z  7  ( i ) 

1  0  0 

x7(i) 

u7(i ) 

2(1)  = 

z8(i) 

= 

0  0  1 

Xg(l  ) 

+ 

u8(i) 

Zg(D 

-a  a  0 

Xg(i  ) 

u9(i)_ 

-  H  x  ( i )  +  u 

The  partitioning  in  this  equation  depicts  the  two  possible  cases, 
[z?,  z8]  or  i  =  [z? ,  zg,  zg]. 


(59a) 


(59b) 

T 

z  = 


It  should  be  noted  that,  whether  or  not  the  measurement  Zg  is  used 
to  drive  the  Kalman  filter,  the  difference  between  the  vertical  velocim- 
eter  output,  h  j ,  and  the  model  reference  estimate  of  this  value, 

[a(Xg  -  Xy)],  can  be  monitored  to  detect  failures  in  the  vertical  ve- 
locimeter  itself  (as  distinct  from  a  failure  that  would  affect  both  the 
altimeter  and  velocimeter) . 

2.4  MODEL  REFERENCE  FOR  INDICATED  AIRSPEED  AND  NORMAL  ACCELERATION 

Erroneous  AFCS  normal  (body  z  axis)  accelerometer  output  and  faulty 
indicated  airspeed  can  be  detected  by  means  of  a  fourth  model  reference. 
An  independent  measure  of  normal  acceleration  can  be  obtained  from  the 
INS  outputs  of  platform  accelerations,  axh,  a^,  and  a^,  and  Euler  an¬ 
gles,  ip,  0,  and  c|>,  using  the  relation 

az  "  axh^n  4*  s’n  ^  +  cos  ^  s^n  6  cos  ^ 

+  a^(-sin  ip  cos  tp  +  cos  <p  sin  0  sin  tp)  (60) 

+  azh  cos  4>  cos  6 
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The  Euler  angles  and  a^  have  previously  been  tested  for  integrity  by 
the  other  model  reference  detection  logics.  Although  the  INS  horizontal 
accelerometers  have  not  been  explicitly  verified  as  operating  normally, 
the  previous  report  []  proposed  to  use  this  functional  relationship  as 
a  means  of  checking  the  AFCS  normal  accel erometer  (such  verification 
could  be  performed  by  other  means  of  failure  detection).  Once  the  value 
of  a?  is  known  to  be  valid,  it  can  be  used  to  compute  an  alternate 
evaluation  of  indicated  airspeed  []: 


vi 


2m  a. 


PQ  S(Cn+fn  0 


(61) 


where  m  is  the  aircraft  mass,  pQ  is  the  density  of  air  at  sea  level,  S 
is  the  aircraft  reference  area,  and  Cn  and  fn  are  constants  such  that 
the  term  in  parentheses  is  a  first  order  approximation  to  the  normal 
force  coefficient,  and  a  is  the  angle  of  attack.  Note  that  the  angle- 
of-attack  value  has  also  been  verified  previously.  Comparing  the  result 
of  equation  (61)  with  the  ADS  indicated  airspeed  allows  detection  of 
failures  in  this  measured  value. 


2.5  OTHER  MODEL  REFERENCES 

Additional  functional  redundancies  do  exist  in  the  varies  data 
systems  onboard  an  aircraft.  These  were  considered  and  rejected  pre¬ 
viously  due  to  being 

(1)  infeasible  or  unpromising; 

(2)  not  relevant  to  the  task  of  flight  stabilization  and  control, 
as  being  based  on  radiolocators  or  other  external  sources  of 
information;  or 

(3)  empirical  relations  highly  dependent  upon  particular  aircraft. 
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Other  applications  of  the  concept  are  feasible,  as  providing  con¬ 
fidence  in  propulsion  system  sensors  without  burdening  the  aircraft  with 
twenty  to  forty  sensors  per  engine.  However,  this  effort  will  be  di¬ 
rected  towards  the  control  data  instrumentation  application  to  demon¬ 
strate  the  capabilities  of  the  technique. 


2.6  FAILURE  DETECTION  AND  ISOLATION 

Using  the  model  references  discussed  in  the  previous  sections, 
failures  can  be  detected  and  isolated  by  monitoring  residuals  (in  the 
case  of  the  Kalman  filters)  or  other  appropriate  error  signals.  Let 
e^ ,  e^,  and  e^  be  the  residuals  of  the  INS-AFCS  filter,  as  defined  by 
equation  (54).  Similarly,  let  e^,  e^,  and  e^  be  the  corresponding 
residuals  of  the  AHRS-AFCS  filter,  defined  by  equation  (55).  Further, 
let  e^,  eg,  and  eg  denote  the  residuals  related  to  the  measurements  z-j, 
Zg,  and  Zg  of  the  vertical  channel  filter,  as  described  in  equation 

(59) .  (Note  that  eg  will  be  used  for  detection  purposes  whether  or  not 
it  is  actually  used  to  drive  the  Kalman  filter.)  Finally,  let  the  error 
between  computed  and  measured  normal  acceleration  define  e^,  and  the 
difference  between  computed  and  measured  airspeed  be  e^  (see  equations 

(60)  and  (61)  for  computation). 

With  these  error  signals  defined,  a  particular  failure  can  be  iso¬ 
lated  by  determining  which  errors  are  growing  abnormally  large.  Table 
IV  depicts  the  isolation  logic  to  be  employed.  The  listing  of  abnormal 
residual  magnitude  pertains  to  initial  effects.  For  instance,  if  an  INS 
gyro  fails,  eventually  all  outputs  of  the  INS  will  be  affected.  Note 
that  a  faulty  pitch  rate  indication  cannot  be  distinguished  from  an 
erroneous  yaw  rate  measurement  by  this  logic,  but  that  all  other  fail¬ 
ures  listed  can  be  isolated  as  well  as  detected. 
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TABLE  IV 

SENSOR  FAILURES  AND  CORRESPONDING  ABNORMAL  ERROR  SIGNALS 


Type  of  Failure 

Error  Signal 

el  e2  e3 

e4  e5  e6 

e7  e8  e9 

e10  ell 

INS  Pitch  Angle 

x 

INS  Roll  Angle 

X 

IMS  Yaw  Angle 

X 

AHRS  Pitch  Angle 

X 

AHRS  Roll  Angle 

X 

AHRS  Yaw  Angle 

X 

AFCS  Pitch  Rate 

XXX 

XXX 

AFCS  Roll  Rate 

X 

X 

AFCS  Yaw  Rate 

XXX 

XXX 

ADS  Altitude 

X 

AOS  Vertical  Velocity 

X 

ADS  Angle  of  Attack 

X 

INS  Vertical  Acceleration 

X  XX 

AFCS  Normal  Acceleration 

■ 

X 

ADS  Indicated  Airspeed 

X* 

*  =  Valid  only  if  e1Q  is  not  abnormally  large 
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2.7  MODIFICATIONS  TO  THE  MODEL  REFERENCES 

Previous  experimental  results  indicated  a  higher  sensitivity  of 
this  technique  to  failures  in  the  form  of  excessive  noise  than  to  bias 
shifts.  Consequently,  a  bias  estimation  capability  was  added  to  the  de¬ 
tection  algorithm  by  including  biases  as  state  variables  in  the  Kalman 
filter  model  references.  Actually  estimating  the  bias  levels  could 
yield  not  only  failure  declarations  due  to  bias  shifts,  but  also  a  means 
of  determining  how  to  compensate  such  drifts  to  retain  accurate  signal 
levels. 

Referring  to  Figures  1  and  2,  the  measurement  corruption  is  mod¬ 
elled  as  an  additive,  zero  mean,  white  Gaussian  noise,  as  in  Figure  3a. 

A  similar  diagram  could  be  drawn  for  the  dynamic  driving  noise  w.  cor¬ 
rupting  the  input  u^.  The  model  references  can  be  altered  by  replacing 
each  white  noise  signal  with  a  white  noise  plus  bias,  as  in  Figure  3b. 
Note  that  the  bias,  b^,  is  obtained  conceptually  by  passing  a  zero  mean, 
white  Gaussian  noise  through  an  integrator.  Instead  of  modelling  a  bias 
as 

b.  =  0  (62) 

as  would  seem  to  be  appropriate,  the  model  employed  is 


Figure  3a.  White  Noise  Corruption;  No  Bias 
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Figure  3b.  Model  Incorporating  Bias 

This  "pseudonoise"  is  necessary  to  yield  a  Kalman  filter  that  estimates 
the  bias  values  for  all  time.  Conceptually,  using  equation  (62)  would 
tell  the  filter  mathematically  that  the  initial  value  of  the  bias  is  un¬ 
certain,  but  you  are  sure  the  value  does  not  change  in  time.  As  a  re¬ 
sult,  the  filter  will  use  early  data  to  estimate  biases,  but  then  essen¬ 
tially  ignore  future  data  (appropriately,  since  the  filter  has  been 
"told"  the  values  do  not  change  in  time).  Putting  the  noise  w^.  in 
says,  in  essence,  that  there  is  some  uncertainty  in  the  bias  values  for 
all  time  of  interest. 

First  consider  the  model  for  the  vertical  motion  dynamics,  as  de¬ 
picted  in  Figure  2.  Neglecting  the  measurement  Zg,  add  the  bias  states 
to  the  input  and  to  the  two  remaining  measurements.  The  augmented  sys¬ 
tem  dynamics  are 


az 


-a  a  0 
0  0  1 
0  0  0 

0  0  0 
0  0  0 
0  0  0 


0  0  0 
0  0  0 
1  0  0 

0  0  0 
0  0  0 
0  0  0 


az 

bh 

bh 


0  0  0 
0  0  0 
0  0  0 


1  0  0 
0  1  0 
0  0  1 


"azh 

w 


q  +  w 


az 

wh 

W|1 


(64) 
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Note  that  the  upper  left  portion  of  the  system  matrices  and  upper  por¬ 
tion  of  the  vectors  are  the  original  system  description,  given  by  equa¬ 
tion  (56).  Further,  notice  w  that  the  bias  that  corrupts  the  input  en¬ 
ters  into  the  state  dynamics,  and  thus  there  is  a  nonzero  element  in  the 
corresponding  column  of  the  upper  right  partition  of  F(t).  Columns  as¬ 
sociated  with  biases  that  corrupt  measurement  variables,  z^,  are  all 
zeroes. 


The  associated  measurement  for  this  system  description  would  be 


As  before,  the  first  partition  of  these  quantities  is  the  original  de¬ 
scription,  with  no  biases,  as  presented  in  equation  (59). 

A  Kalman  filter  can  be  developed  using  this  dynamics  model  rather 
than  the  original  three-state  model.  When  adding  state  variables  in 
this  manner,  two  questions  must  be  asked.  First,  is  the  additional  com¬ 
plexity  warranted  by  the  performance  capability  gained?  Secondly,  is 
the  resulting  system  model  completely  observable?  In  other  words,  can 
the  filter  see  the  effects  of  the  individual  states  and  distinguish  the 
difference  between  these  effects? 

To  answer  the  second  question,  the  F  matrix  in  equation  (64)  and 
the  H  in  (65)  can  be  used  to  generate  the  observability  matrix, 

i  i 
i —  i 
i  i 
i  i 
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where  n  is  the  dimension  of  the  state  vector,  6  in  this  case.  The  sys¬ 
tem  model  is  observable  if  and  only  if  the  rank  of  this  matrix  equals  0. 
If  the  rank  is  (n-k),  then  there  are  k  unobservable  state  variables. 

When  this  test  is  conducted,  it  is  found  that  only  five  of  the  six 
states  are  observable.  This  is  true  whether  Zg  is  included  or  not,  and 
so  its  inclusion  would  not  be  warranted  from  an  observability  stand¬ 
point. 

If  the  altimeter  bias  state,  b^,  is  removed  from  the  model,  the 
rank  of  the  resulting  observability  matrix  is  still  five,  and  thus  the 
model  is  completely  observable.  Thus,  the  filter  can  estimate  the  bias 
in  the  vertical  accelerometer  and  in  the  vertical  velocity  measurement, 
but  cannot  separately  identify  the  bias  in  the  altimeter. 

This  filter  formulation  has  been  programmed  and  combined  with  the 
flight  simulation  program.  Whether  the  added  complexity  yields  substan¬ 
tial  enough  performance  improvement  to  merit  implementation  will  be  dis¬ 
cussed  subsequently.  However,  an  attractive  alternative  to  bias  estima¬ 
tion  will  also  be  proposed,  improving  performance  but  not  increasing  the 
state  vector  dimension. 


A  similar  state  augmentation  technique  for  bias  estimation  can  be 
applied  to  the  AFSC-INS  and  AFCS-AHRS  Kalman  filters  as  well.  Corres¬ 
ponding  to  equation  (51)  would  be  the  augmented  equation 


d_ 

x(t) 

fc[x(t),b(t),u(t),w(t)] 

dt 

b(t) 

^(t) 

and  replacing  (53)  would  be 


2(1) 


■N\l 


x(i) 

b(1) 


+  v(i) 


(68) 
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Because  scale  factor  errors  appeared  to  be  considerably  more  significant 
than  bias  errors  in  rate  gyros  f  ],  additional  bias  states  were  not 
added  to  the  rate  gyros  in  the  model  reference.  (Such  states  could 
readily  be  included  however.)  Instead,  bias  states  were  added  only  to 
the  Euler  angles  in  the  model  reference,  corresponding  to  the  outputs  of 
either  the  INS  or  AHRS.  Thus,  b  is  a  three-dimensional  vector,  and  f^. 
is  not  affected  by  t)  but  is  the  original  in  equation  (51).  To  speci¬ 

fy  the  associated  Kalman  filter  completely,  a  statistical  description  of 
the  initial  value  of  b^(O),  and  the  driving  noise  sequence,  w^t),  is 
required.  The  bias  b(0)  would  be  assumed  to  be  of  mean  zero,  probably 
uncorrelated  with  ,x(0)  (though  not  necessarily),  and  Gaussian  with  known 
covariance;  similarly  w^(t)  would  be  white,  Gaussian,  zero  mean,  and  un¬ 
correlated  with  other  random  processes  affecting  the  system. 

These  augmented  filters  have  also  been  prrgrammed,  but  are  similar¬ 
ly  regarded  as  means  of  improving  performance  only  if  the  alternative  to 
bias  estimation  is  inadequate.  Some  observability  difficulty  would  be 
expected  with  regard  to  the  bias  added  to  the  yaw  measurement,  since  the 
yaw  state,  does  not  appear  explicitly  in  f^.  of  equations  (50)  and 
(51),  and  might  be  difficult  to  distinguish  from  an  assumed  bias  in  its 
value.  Being  a  nonlinear  set  of  equations,  this  system  description 
cannot  readily  be  examined  for  observability  as  done  for  the  vertical 
channel  filter.  However,  by  investigating  the  linearized  perturbation 
equations  corresponding  to  equation  (67),  and  assuming  time  invariance 
over  a  period  of  interest,  such  unobservability  of  the  bias  on  ip  does 
result.  This  does  not  demonstrate  unobservability  in  the  time-varying, 
nonlinear  system,  but  does  indicate  a  potential  source  of  difficulty. 
Thus,  the  augmented  state  vector  may  not  include  the  ^  bias  state. 
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2.8  ADAPTATION  TO  FAILURES 

In  event  of  a  sensor  failure,  it  would  be  desirable  to  synthe¬ 
size  a  best  estimate  of  the  parameters  whose  direct  measurements  have 
been  lost.  Such  adaptation  is  feasible  by  inhibiting  the  failed  sig¬ 
nals  from  driving  the  model  references.  In  the  case  of  the  Kalman  fil¬ 
ter  references,  the  row  of  that  corresponds  to  the  failed  sensor  could 
be  set  to  zero  and  the  residual  not  used  to  drive  the  filter.  Or,  the 
corresponding  term  in  the  covariance  matrix  R  could  be  increased  appro¬ 
priately  to  de-emphasize  the  value  of  a  sensor  reading  if  a  "hard"  fail¬ 
ure  has  not  occurred  and  there  is  still  some  limited  information  in  the 
signal . 

It  would  be  conceivable  to  use  such  a  technique  to  synthesize  the 
values  of 

(1 )  any  INS  Euler  angle 

(2)  any  AHRS  Euler  angle 

(3)  ADS  altitude,  vertical  velocity,  or  indicated  airspeed 

(4)  AFCS  normal  acceleration. 

It  is  important  to  know  whether  all  states  in  the  various  Kalman 
filters  are  observable  in  the  event  of  a  failed  sensor  being  removed 
from  the  data  inputs.  The  rank  of  associated  observability  matrices 
will  indicate  such  capability. 
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First  consider  either  of  the  two  attitude  Kalman  filters.  As  be¬ 
fore,  looking  at  the  linearized  systems  indicates  that  a  viable  estimate 
of  the  yaw  angle  may  be  difficult  to  obtain  if  the  INS  or  AHRS  yaw 
signal  fails.  Perhaps  the  best  procedure  in  such  a  case  would  be  to  use 
the  other  available  yaw  signal  (or  signals  if  hardware  redundancy  is 
also  employed)  since  the  filter  cannot  provide  useful  information. 

However,  if  either  the  pitch  or  roll  (or  both)  indications  are  lost,  a 
somewhat  degraded  filter  estimate  of  all  states  is  still  attainable. 

To  examine  the  extent  of  performance  degradation  due  to  removal  of 
failed  signals,  it  may  be  useful  to  look  at  the  (steady-state)  value  of 
the  information  matrix,  i.e.,  the  matrix  P"^  that  is  propagated  from  P-^(tQ) 
=  0  [  ].  This  could  be  accomplished  by  setting  the  appropriate  term  in 
R.  to  infinity  or,  equivalently,  the  corresponding  term  in  R~^  to  zero, 
and  directly  computing  P  ^  in  the  limit  from  an  initial  condition.  This 
technique  is  probably  better  suited  to  the  case  of  linear  dynamics,  as 
in  the  vertical  channel  filter  to  follow. 

Now  consider  the  vertical  channel  filter  driven  by  z^  and  Zg.  If 
Zg,  computed  vertical  velocity,  were  removed,  all  states  are  still  ob¬ 
servable,  and  thus  a  viable  estimate  can  be  maintained.  However,  if  z?, 
altitude,  were  lost,  the  observability  matrix  is  of  rank  one,  and  only 
vertical  velocity  is  observable. 
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If  Zg,  the  vertical  velocity  derived  from  barometric  altitude,  were 
also  used  to  drive  the  vertical  channel  filter,  then  loss  of  Zg  would 
again  yield  a  completely  observable  system,  as  would  loss  of  both  Zg 
and  Zg.  If  z-j  or  both  z^  and  Zg  were  lost,  two  states  are  observable 
due  to  the  measurement  Zg. 

3.  OPTIMAL  COMBINATION  OF  DATA 

Conceptually,  the  Kalman  filters  employed  as  model  references  can 
serve  to  generate  optimum  estimates  of  the  model  state  variables.  Thus, 
the  AFCS-INS  or  AFCS-AHRS  filters  could  provide  optimum  estimates  of  the 
Euler  angles.  In  fact,  an  overall  "optimum"  estimate  of  Euler  angles 
could  be  generated  by  a  larger  filter  that  incorporated  data  from  all 
three  systems:  the  AFCS  rate  gyros,  the  inertial  system,  and  the  atti¬ 
tude  and  heading  reference  system.  Similarly,  the  vertical  channel  fil¬ 
ter  could  conceptually  provide  optimum  estimates  of  altitude,  lagging 
altitude,  and  vertical  velocity.  By  combining  the  information  from  in¬ 
dividual  data  systems,  an  optimal  estimator  can  increase  the  precision 
of  the  data  above  that  of  any  single  system.  Consequently,  one  might 
propose  to  use  the  outputs  of  the  Kalman  filters  as  the  best  signals  to 
represent  these  variables. 

However,  the  simplicity  of  the  models  employed  in  the  filters  dic¬ 
tates  against  this.  A  truly  optimum  filter,  incorporating  as  accurate 
(and  complex)  a  model  of  a  certain  dynamic  phenomenon  as  can  be  developed, 
will  in  fact  yield  estimates  whose  precision  is  higher  than  any  single 
data  source.  The  design  objective  here  has  not  been  to  develop  a  large 
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op 1 1 ind 1  state  estimator,  but  to  generate  as  simple  and  small  an  esti¬ 
mator  as  will  provide  adequate  failure  detection  performance.  Not  only 
are  the  filter  dimensions  low,  but  in  the  case  of  the  two  attitude  fil¬ 
ters,  the  nonlinear  dynamic  equations  are  propagated  by  a  simple  first 
order  integration  technique  at  a  rather  low  update  rate. 

Although  the  prospects  of  the  filters  serving  as  adequate  data  es¬ 
timators  seemed  poor,  tests  were  conducted  to  determine  realizable  per¬ 
formance.  Both  the  separated  AFCS-INS  and  AFCS-AHRS  attitude  filters 
and  the  combined  AFCS-INS-AHRS  filter  were  tested  by  means  of  simulated 
aircraft  and  measurement  system  dynamics,  as  was  the  vertical  channel 
filter.  The  attitude  results  were  poor,  especially  during  any  substan¬ 
tial  maneuvering,  this  being  attributed  mostly  to  the  simplified  propa¬ 
gation  of  nonlinear  dynamics.  In  fact,  the  problem  of  transient  filter 
response  manifests  itself  to  some  degree  in  the  failure  detection  logic, 
but  the  effects  can  be  masked  by  procedures  to  be  described  in  the  next 
section.  As  a  result  of  these  procedures,  the  simple  filters  can  serve 
for  the  failure  detection  function,  but  the  filtered  estimates  them¬ 
selves  are  too  inaccurate  to  use  as  optimal  data  signals.  The  vertical 
channel  filter  exhibited  better  performance,  but  any  avionics  system  in¬ 
volving  inertial  and  air  data  systems  will  encompass  baro-inertial  coup¬ 
ling  to  damp  the  inertial  vertical  channel,  so  there  is  no  significant 
gain  from  using  this  filter  to  combine  data  from  individual  sensors. 

It  is  conceivable  that  a  data  system  that  does  in  fact  perform 
optimal  combination  of  information  from  the  INS,  AHRS,  AFCS,  and  ADS 
will  be  developed.  Such  a  system  would  require  more  accurate  models, 
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accounting  for  biases  and  other  phenomena  not  modelled  herein.  Update 
rates  and  propagation  (integration)  techniques  would  require  further 
investigation.  Practical  aspects,  such  as  the  fact  that  the  various 
sensors  are  situated  at  different  environments  (as  vibration  effects), 
would  also  have  to  be  considered.  If  such  an  overall  data  system  were 
designed  into  a  vehicle's  avionics  system,  it  would  be  ideally  suited 
to  exploiting  the  concept  of  functional  redundancy.  However,  this  ef¬ 
fort  has  been  conducted  without  imposing  the  assumption  that  such  an 
avionics  architecture  were  available:  demonstration  of  concept  feasi¬ 
bility  with  a  minimum  of  extra  onboard  computer  loading  has  been  a  very 
influential  design  objective. 
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SECTION  III 

PRACTICAL  APPLICATION  OF  THE  TECHNIQUE 

1.  SYSTEM  DESIGN  AND  IMPLEMENTATION 

The  feasibility  of  using  functional  redundancy  to  detect  and  iso¬ 
late  control  data  sensor  failures  has  been  partially  established  in  the 
past  [  ]•  Numerous  means  of  improving  the  performance  capabilities  of 
the  concept  have  been  developed  in  this  research,  with  substantial  suc¬ 
cess  in  minimizing  the  missed  alarms  and  false  alarms  produced  by  the 
detection  logic.  However,  a  mere  demonstration  of  concept  feasibility 
is  not  as  desirable  or  useful  as  such  a  demonstration  combined  with  a 
methodical,  systematic  procedure  of  application  of  the  concept.  This 
chapter  describes  two  principal  aspects  of  applying  the  functional  re¬ 
dundancy  method  of  failure  detection  to  practical  situations. 

First  of  all,  the  development  of  the  failure  detection  algorithm 
and  associated  digital  computer  software  into  a  systematic  design  tool 
will  be  delineated.  In  so  doing,  the  various  methods  used  to  enhance 
the  algorithm  performance  capabilities  will  be  thoroughly  discussed. 

The  result  of  these  improvements  is  a  software  package  with  sufficient 
flexibility  to  allow  an  engineer  to  tailor  the  failure  detection  algo¬ 
rithm  to  his  particular  needs.  Once  the  design  has  been  optimized  with 
this  tool,  final  implementation  of  the  software  in  an  onboard  computer 
can  be  conducted. 
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This  is  the  second  aspect  of  practical  application:  once  a  tuned 
design  has  been  achieved,  what  mode  of  usage  is  most  appropriate?  As 
conceived  herein,  functional  redundancy  will  be  used  in  conjunction 
with  other  failure  detection  methods.  Within  this  framework,  there  are 
many  alternative  ways  of  declaring  failures,  and  once  a  failure  is  de¬ 
clared,  there  are  numerous  methods  of  restructuring  the  data  systems. 

The  performance  analysis  provided  by  the  design  tool  can  aid  the  selec¬ 
tion  of  the  most  advantageous  option  for  a  particular  application. 
Whether  it  be  simple  or  sophisticated,  the  end  result  will  be  a  means 
of  (1)  detecting,  (2)  isolating,  and  (3)  declaring  failures,  combined 
with  a  logic  for  (4)  reconfiguring  the  data  system,  that  is  effective 
and  efficient  for  on-line  use. 

2.  USE  OF  DESIGN  TOOL 

The  computer  software  that  has  been  developed  is  in  four  basic 
parts.  First  an  all-digital  aircraft  flight  simulator  generates  the 
actual  profiles  to  be  flown.  It  is  a  complete  and  sophisticated  simu¬ 
lation  program,  encompassing  not  only  basic  flight  path  equations,  air¬ 
craft  translational  dynamics  and  attitude  relations,  but  also  detailed 
models  of  atmospheric  effects,  winds,  the  vehicle's  engines,  aerody¬ 
namic  effects,  and  the  flight  control  system  employed  (including  its  in¬ 
fluence  in  generating  sideslip  phenomena).  The  extensive  detail  of 
this  simulation  program  provides  a  very  accurate  representation  of  true 
flight  characteristics.  The  output  of  this  segment  of  software  is  the 
set  of  "true"  values  of  parameters  to  describe  the  aircraft  operation 
and  the  environment  in  which  it  is  flying. 
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These  outputs  then  feed  into  the  second  general  partition  of  the 
software,  the  models  of  the  instrumentation  systems  onboard  the  air¬ 
craft.  Included  are  segments  that  completely  define  the  operational 
characteristics  of: 

(1)  the  Air  Data  System  (ADS), 

(2)  the  Inertial  Navigation  System  (INS), 

(3)  the  Attitude  Heading  Reference  System  (AHRS),  and 

(4)  the  Automatic  Flight  Control  System  (AFCS)  data  sensors. 

These  instrumentation  models  include  sensor  dynamic  characteristics  and 
sources  of  uncertainty.  In  all  cases,  the  parameters  that  define  the 
instrument  operation,  power  spectral  densities  of  noises  and/or  uncer¬ 
tainties  inherent  in  the  instruments,  and  signal  biases  can  be  readily 
altered  by  means  of  input  cards  to  the  program.  Thus,  the  first  two 
segments  of  the  program  allow  the  specification  of  any  aircraft  in  any 
environment  with  any  complement  of  particular  data  sensor  systems. 
Moreover,  off-nominal  as  well  as  nominal  situations  can  be  simulated,  as 
an  F-4  with  a  different,  more  state-of-the-art  INS  than  these  aircraft 
actually  carry  (as  was  actually  done  in  the  particular  performance 
analyses  reported  herein). 

The  instrumentation  model  segment  of  the  software  performs  another 
function  as  well.  By  proper  selection  of  input  cards  to  the  program, 
the  engineer  can  cause  this  program  segment  to  simulate  a  wide  variety 
of  instrumentation  failures.  The  failures  that  are  simulated  duplicate 
the  major  modes  of  failure  described  in  Section  1.4. 
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The  third  section  of  the  software  package  consists  of  a  very  flexi¬ 
ble  set  of  logic  for  detecting,  isolating,  and  declaring  failures  and 
for  restructuring  the  data  system  upon  failure  declaration.  In  actual 
onboard  implementation  of  the  functional  redundancy  concept,  the  soft¬ 
ware  would  be  simpler:  the  flexibility  is  intended  to  expedite  initial 
design  procedures.  Two  versions  of  this  segment  have  been  programmed-- 
that  encompassing  the  "standard"  Kalman  filter  structures  and  the  other 
that  employs  the  augmented  filters  for  bias  estimation  as  well;  the 
separation  into  two  interchangeable  segments  rather  than  one  large  pro¬ 
gram  with  options  was  motivated  by  computer  programming  efficiency. 

The  final  section  provides  performance  evaluation  outputs  in  the 
form  of  both  printouts  and  plots  of  significant  parameters.  By  monitor¬ 
ing  these  outputs,  the  engineer  can  iterate  upon  a  failure  detection 
logic  design  until  he  converges  upon  a  final  implementation  with  a  per¬ 
formance  suited  to  his  needs. 

If  desired,  the  computer  software  is  readily  modified  to  accommo¬ 
date  actual  flight  data  recorded  from  the  appropriate  sensors  onboard  an 
aircraft,  rather  than  being  driven  by  the  simulation.  Sampled  data  from 
the  tapes  of  the  sensor  outputs  would  be  read  into  computer  locations 
from  which  the  third  and  fourth  software  segments,  the  detection  logic 
and  performance  evaluation  segments,  are  driven.  (A  portion  of  the 
performance  evaluation  segment  is  inhibited  since  the  "true"  values  of 
flight  variables  are  not  separable  from  the  data  -  this  will  be  de¬ 
veloped  further  in  paragraph  2.3  of  this  section.  Sensor  failures  can 
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still  be  simulated  by  generating  the  sensor  output  signal  variations  due 
to  a  failure  (generated  by  two  runs  of  the  overall  simulation  program, 
one  without  failures  and  the  second  identical  to  the  first,  but  with  a 
failure  simulated  -  the  sensor  outputs  are  then  differenced  to  obtain  a 
time  history  of  the  desired  signal  variation)  and  adding  this  to  the 
real  data  samples. 

The  following  section  will  discuss  the  methodical  design  procedure 
made  available  by  this  design  tool,  along  with  associated  concepts  and 
software. 

2.1  BASIS  OF  COMPARISON 

The  initial  computer  runs  are  conducted  with  no  simulated  failures 
and  sensor  biases  set  to  zero.  For  the  current  investigation,  a  nominal 
trajectory  was  chosen  to  be  a  simulated  approach  trajectory  flown  by  an 
F-4,  composed  of  a  period  of  level  flight  followed  by  a  coordinated  fi¬ 
nal  turn  and  then  a  pitchover  and  descent  to  touchdown.  This  choice  was 
made  to  compare  performance  results  to  those  of  the  previous  investiga¬ 
tion,  and  there  is  nothing  inherent  in  the  software  to  constrain  atten¬ 
tion  to  only  this  trajectory. 

There  are  a  number  of  reasons  for  such  a  set  of  computer  runs. 

First  of  all,  the  entire  nominal  trajectory  is  flown  and  appropriate 
data  is  stored  to  provide  realistic  values  for  aircraft  and  logic  pa¬ 
rameters  at  various  selected  points  along  the  trajectory.  These  can 
then  serve  to  initialize  the  simulation  of  shorter  trajectory  segments, 
on  the  order  of  10  to  30  seconds  of  flight  time,  during  which  failures 
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or  other  phenomena  can  be  simulated.  In  the  tests  conducted  in  this  in¬ 
vestigation,  three  such  segments  were  chosen:  one  in  level  flight,  one 
for  the  duration  of  the  turn,  and  the  last  during  descent.  Thus,  the 
particular  types  of  flight  environment  deemed  to  be  critical  to  perfor¬ 
mance  evaluations  can  be  simulated  realistically  with  only  small  amounts 
of  required  computer  time. 

Another  reason  for  a  set  of  trajectories  with  no  simulated  failures 
or  sensor  biases  is  to  allow  "tuning"  of  the  filters  embodied  in  the  de¬ 
tection  logic.  Means  of  obtaining  good  statistical  data  about  sensor 
performance  characteristics  will  be  discussed  in  paragraph  2.2  which 
follows.  Such  information  is  required  to  establish  the  covariance  ma¬ 
trices  Q,  R,  and  P^  that  define  the  Kalman  filters.  However,  even  with 
good  statistical  data  about  the  sensors,  establishing  appropriate  covar¬ 
iances  is  an  iterative  process.  Consider  either  of  the  two  attitude 
filters:  the  matrix  embodies  not  only  the  uncertainty  in  the  rate 
gyro  outputs,  but  also  the  uncertainty  contributed  by  using  a  very  sim¬ 
ple  mathematical  model  to  represent  a  complex  dynamical  relationship. 
Consequently,  it  is  necessary  to  vary  these  covariance  matrices  until 
desirable  filter  performance  is  obtained. 

In  practice,  this  tuning  is  achieved  by  making  repeated  runs  of 
a  nominal  trajectory  while  changing  only  the  filter  covariances  from 
one  run  to  the  next.  Then  the  filter's  evaluations  of  the  standard 
deviations  in  its  own  state  estimates  are  obtained  by  taking  the  square 
root  of  each  diagonal  term  of  the  propagated  error  covariance  P.  These 
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are  then  compared  to  the  observed  time  history  of  the  components 
(x  -  xt),  where  x  is  the  filter  estimate  of  the  state  and  xt  is  the 
"true"  value  of  the  state  variables  as  generated  by  the  simulation  por¬ 
tion  of  the  software.  If  approximately  70%  of  the  time  history  of  each 
separate  component  of  (x  -  x^.)  is  within  the  propagated  standard  devia¬ 
tion  value  from  zero,  or  if  about  95%  are  within  two  times  this  value, 
then  the  filter  is  fairly  well  "tuned."  Typically,  the  elements  of  Q 
especially  have  to  be  increased  over  sensor  statistics  magnitudes  to 
preclude  a  substantial  underestimate  of  error  standard  deviations  by 
the  filters.  Paragraph  2.3  of  this  section  will  describe  the  capabil¬ 
ities  of  the  current  software  to  facilitate  this  timing. 

Sensitivity  of  this  tuning  to  sensor  biases  that  are  within  tol¬ 
erances  may  also  be  considered  during  this  tuning.  As  a  result,  the 
magnitudes  of  the  noise  covariances  may  be  increased.  Or,  the  tuning 
based  on  zero  biases  might  be  maintained  and  the  thresholds  in  the  de¬ 
tection  logic  adjusted  to  accommodate  the  in-tolerance  bias  effects. 

These  initial  data  runs  generate  plots  of  time  histories  of  each 
individual  likelihood  function  used  in  the  failure  detection  logic. 

Thus,  their  character  under  normal  conditions  can  be  investigated.  By 
simulating  all  of  the  pertinent  aircraft  flight  profile  and  in-toler¬ 
ance  system  variations,  a  complete  analysis  of  likelihood  function  maxi¬ 
mum  magnitudes  and  transient  characteristics  under  normal  operation  can 
be  attained.  This  serves  as  one  basis  of  setting  the  thresholds  and 
time-before-failure-declaration  parameters,  to  be  discussed  subsequently. 
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2.2  ESTABLISHING  SENSOR  STATISTICS 

Obtaining  statistical  information  about  the  error  characteristics 
of  sensors  from  their  manufacturers  or  users  is,  in  general,  very  diffi¬ 
cult.  Consequently,  this  information,  which  is  required  not  only  to  de¬ 
sign  the  filters  of  the  failure  detection  algorithm  but  also  to  generate 
a  realistic  simulation  for  performance  analyses,  often  must  be  generated 
by  the  system  designer.  There  are  standard  techniques  available  that 
facilitate  the  evaluation  of  reasonable  variance  values  for  noise  and 
uncertainty  phenomena  that  corrupt  sensor  outputs.  For  instance,  power 
spectral  density  analysis  of  signals  can  be  used  to  verify  the  form 
error  models  in  the  simulation  as  well  as  determine  appropriate  noise 
levels  to  drive  the  models.  For  the  simplified  models  in  the  Kalman 
filters  of  a  true  value  being  corrupted  by  a  white  Gaussian  noise,  the 
strength  of  the  noise  can  be  set  so  as  to  duplicate  the  low  frequency 
power  spectral  density  value. 

A  data  reduction  program  has  been  developed  to  perform  a  statisti¬ 
cal  analysis  of  a  sequence  of  data  samples,  consisting  of  evaluations 
of  the  mean  and  variance  of  a  set  of  samples  and  a  test  for  the  white¬ 
ness  of  the  sequence.  There  are  three  primary  applications  for  it 
with  regard  to  functional  redundancy  logic  design  and  implementation: 

(1)  A  sensor,  or  a  number  of  identical  sensors,  can  be  tested 
under  controlled  conditions  so  that  the  true  value  of  the  variable 
being  measured  is  known.  Then,  based  on  the  assumption  inherent  in  the 
detection  logic  filters  of  the  instrument  being  adequately  modelled  as 
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generating  the  true  value  corrupted  by  white  Gaussian  noise  (and  possi¬ 
bly  a  constant  bias  that  can  be  subtracted  out),  a  valid  variance  level 

for  that  corrupting  noise  can  be  established. 

(2)  Again  under  controlled  (laboratory)  conditions,  the  more  com¬ 
plex  simulation  models  can  be  validated  and  good  model  parameters  at¬ 
tained.  Conceptually,  an  (extended)  Kalman  filter  would  be  developed 
about  a  given  dynamics  model  of  each  measuring  device,  real  sensor  data 
would  be  used  to  drive  the  filter,  and  the  mean,  variance,  and  whiteness 
of  the  resulting  residual  sequence  tested.  Iterations  of  this  hypothe¬ 
sis  testing  would  yield  the  final  simulation  model  specification. 

(3)  Another  application  will  be  discussed  further  in  paragraph 
2.8  of  this  section,  namely  that  of  preflight  initialization.  Again, 
under  conditions  that  allow  true  values  of  measured  variables  to  be 
known  exactly,  the  sensor  systems  would  be  operated  and  the  appropriate 
values  of  R,  Q,  and  could  be  established  before  each  operational 
usage  of  the  filters.  This  would  allow  adaptation  to  component  varia¬ 
tions.  Moreover,  by  estimating  the  mean  value  of  a  signal  whose  appro¬ 
priate  value  is  known  (since  the  true  variable  value  that  the  signal 
represents  is  known),  the  bias  in  the  signal  can  be  estimated  and  com¬ 
pensated. 

The  data  reduction  program  operates  in  the  following  manner. 

First  one  establishes  a  known  steady-state  value  of  what  the  particular 
instrument  should  be  measuring,  and  runs  the  sensor  in  this  steady-state 
condition  (or  possibly  lets  the  variable  assume  a  known  nominal  function 
of  time).  This  data  is  assumed  to  be  in  sampled  data  form,  using  a 
fixed  sample  rate. 
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Once  this  data  is  generated,  an  even  integer  N  is  chosen  as  the 
number  of  samples  over  which  the  mean  and  variance  of  the  sequence  can 
be  assumed  to  remain  essentially  constant.  A  sliding  arc  of  N  samples 
at  a  time  is  then  used  to  estimate  the  mean  and  variance  evaluated  at 
the  time  of  the  middle  sample  in  the  sliding  arc.  In  other  words,  to 
determine  the  mean  and  variance  values  for  time  instant  i,  the  data 
samples  from  instant  (i  -  1/2N)  through  instant  (i  +  1/2N  -  1)  would  be 
used,  a  total  of  N  samples  at  a  time.  This  N-sample  arc  is  allowed  to 
"slide"  one  sample  period  at  a  time,  generating  a  sequence  of  mean  and 
variance  values.  No  evaluations  are  made  for  i  such  that  (i  -  1/2  N)  1 
or  (i  +  1/2N  -  1)  (total  number  of  data  samples).  Thus,  for  data  sam¬ 
ples  x(l),  x(2),  ....  the  mean  evaluated  for  instant  i,  denoted  as  m(i), 
is 

i=^m-l 

m(i)  =  1  j  x(j)  (69) 

m  .  .  1 

=  m(i-l)  +  j~  [x(i+^m-l )-x(i-^m-l )]  (70) 

and  the  associated  variance,  v(i),  would  be  calculated  as 
i+^m-l 

v(  i )  =  fpj-  l  [x(j)  -  m(i)]2  (71 ) 

If  the  appropriate  "flag"  parameter  is  set  in  the  data  reduction 
program  input,  it  will  also  perform  a  Q-test  to  determine  whether  the 
sequence  of  data  samples  is  a  white  sequence  or  not.  Such  information 
is  useful  in  verifying  the  adequacy  of  assumed  models.  The  manner  in 
which  the  Q-test  indicates  the  whiteness  of  a  sequence,  or  the  degree  to 
which  its  consecutive  values  are  not  correlated  with  one  another,  is 
described  in  Reference  [  ]. 
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2.3  SOFTWARE  INPUTS  AND  OUTPUTS 

The  applicability  of  the  software  package  as  a  design  tool  is  a 
function  of  the  flexibility  provided  in  both  input  controls  and  avail¬ 
able  performance  analysis  outputs.  First  the  significant  inputs  will  be 
considered,  including  control  over  the  inputs  to  the  error  detection 
logic: 

(1)  aircraft  and  trajectory  simulation 

(2)  sensor  error  model  parameters 

(3)  random  number  generators 

(4)  failure  simulations 

(5)  replacement  of  simulated  data  with  real  data  recorded  in 

flight  test,  and  control  over  the  detection  logic  itself 

(6)  dimension  of  filters  employed  (inclusion  or  exclusion  of 

bias  estimation) 

(7)  the  statistical  description  of  sensor  errors  embodied  in 
the  filters 

(8)  the  strengths  of  "pseudoncises"  added  to  the  Kalman  fil¬ 
ter  system  models  to  depict  the  uncertainty  in  the  accur¬ 
acy  of  the  models  themselves 

(9)  the  number  of  samples  included  in  each  likelihood  func¬ 
tion  evaluation 

(10)  the  threshold  for  each  likelihood  function  in  the  failure 
detection  logic 

(11)  the  "time-to-failure-declaration"  associated  with  each 
likelihood  function  in  the  detection  logic 

(12)  the  algorithm  iteration  rate. 
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The  first  five  items  (except  for  the  third)  have  been  discussed 
previously  in  Section  III. 2,  and  are  reiterated  here  to  emphasize  the 
ease  of  altering  these  control  inputs.  Any  aircraft  configuration,  with 
any  complement  of  particular  sensor  systems,  can  be  flown  on  any  spe¬ 
cified  trajectory  through  various  environments.  Data  collected  from 
these  first  computer  runs  serve  to  initialize  the  simulation  at  various 
points  of  interest  along  the  trajectory.  Shorter  trajectory  segments 
are  then  flown  from  these  points,  with  any  of  an  array  of  failures  and 
in-tolerance  system  variations  simulated  during  the  shorter  segments  of 
flight  profile  (the  specification  and  length  of  which  are  also  under 
complete  control  of  the  designer). 

The  third  item  listed  requires  further  elaboration.  The  simulation 
(or  real  data  driving  inputs)  entail  a  specification  of  detection  logic 
performance  for  a  single  set  of  sensor  data.  It  is  not  a  covariance 
type  analysis  in  which  a  statistical  description  of  expected  performance 
over  an  ensemble  of  flights  is  generated  in  a  single  computer  run.  Ra¬ 
ther,  because  nonlinearities  in  simulation  models  preclude  such  an  anal¬ 
ysis,  Monte  Carlo  runs  must  be  generated  in  order  to  assume  a  statisti¬ 
cally  significant  specification  of  system  performance.  Uncertainties 
and  noise  phenomena  are  simulated  by  means  of  random  number  generators 
and  appropriate  weighting  to  generate  white  Gaussian  sequences  of  values. 
By  controlling  the  initial  value  from  which  the  random  number  generators 
start,  different  sequences  of  values  are  generated  so  as  to  share  iden¬ 
tical  statistics,  thereby  allowing  Monte  Carlo  runs  of  the  same  nominal 
situation  to  be  made.  The  software  has  been  written  so  that,  unless 
otherwise  specified,  the  initial  value  in  the  noise  generators  is  always 
the  same  for  the  start  of  any  data  run;  this  is  to  allow  comparison  of 
performance  over  simulations  which  are  known  to  be  exactly  the  same  ex¬ 
cept  for  some  controlled  parameter,  as  the  incorporation  of  exclusion  of 
a  sensor  failure.  However,  by  making  the  multiple  passes  over  the 
same  trajectory  in  a  single  data  run,  the  random  number  generators  are 
controlled  so  that  a  Monte  Carlo  set  of  runs  is  in  fact  generated. 
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The  first  two  facets  of  detection  logic  control  have  already  been 
discussed.  As  mentioned  previously,  two  separate  software  packages  have 
been  developed,  one  with  bias  estimation  and  the  other  without.  For  any 
particular  application,  trade-off  analyses  of  performance  improvement 
versus  additional  computer  loading  caused  by  bias  estimation  should 
probably  be  conducted.  However,  due  to  factors  to  be  discussed  further 
in  Section  III. 2. 8,  the  simpler  version  will  most  likely  be  preferable. 
Unless  otherwise  noted,  this  report  will  be  portraying  the  performance 
of  this  version. 

Section  III. 2. 2  discussed  some  methods  of  developing  a  good  sta¬ 
tistical  description  of  the  sensors  that  drive  the  detection  logic 
filters  in  an  actual  implementation.  This  would  be  the  first  step  in 
setting  the  values  of  Q  and  R  in  these  filters. 

However,  such  evaluations  of  ^  and  R  are  generally  underestimates 
of  values  that  will  provide  the  best  filter  performance.  This  is  true 
because  the  assumed  models  in  the  filters  are  extremely  simple,  and  some 
account  for  the  misrepresentation  by  these  models  of  true  sensor  per¬ 
formance  must  be  made.  Consequently,  "pseudonoises"  are  added  to  the 
Kalman  filter  models  to  express  this  uncertainty.  These  "pseudonoises" 
are  typically  added  to  the  models  at  the  same  locations  as  the  "noises" 
w  and  v  enter,  so  that  the  essential  result  is  to  alter  the  entries  of  Q 
and  R  matrices.  Thus,  if  Q  $eN5qr  and  R  depict  the  noise  covari¬ 

ance  generated  to  describe  the  sensor  statistics,  the  actual  Q  and  R  to 
be  employed  in  the  filter  are 

^  =  ^SENSOR  +  QaDJ  (72) 


-  =  -SENSOR  +  ^ADJ 


(73) 
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Here  and  R^j  are  matrices  that  are  adjusted  to  enable  the  filters 
to  achieve  good  P  values  (this  determination  is  aided  by  the  software 
outputs)  and  thus  track  adequately.  Repeated  runs  are  made  while  alter¬ 
ing  and  R^pj  until  good  filter  performance  is  attained.  The  soft¬ 

ware  maintains  a  separation  of  Q.$£Nsqr  and  R$ENS0R  from  tota^  S  ar>d 
R  for  convenience.  By  so  doing,  the  best  estimates  of  sensor  statistics 
are  available  for  reference,  and  the  additional  adjustment  required  due 
to  model  uncertainty  can  be  explicitly  displayed  and  compared  to  the 
sensor  statistics. 


Section  1 1. 1.4  described  the  application  of  likelihood  function 

statistical  testing  to  the  detection  of  sensor  failures.  It  was  shown 

that  the  appropriate  likelihood  functions  for  the  detection  logic  are 

generated  approximately  as  an  N-step  sum  of  terms  of  the  form 
2  2 

{-l/2[e  (i)/a  ( i )  ] }  where  e(i)  is  the  observed  filter  residual  at  time 
instant  i  corresponding  to  the  variable  of  interest,  and  o  (i)  is  the 
filter's  estimate  of  what  the  variance  of  this  residual  error  should  be 
if  there  are  no  sensor  failures.  (Thus,  the  ability  of  the  filters  to 
achieve  good  Rvalues  will  be  instrumental  in  achieving  viable  detection 
logic  performance  as  well  as  good  filter  tracking  performance.)  In 
other  words,  the  N  most  recent  residual  error  signal  values  are  used  to 
statistically  test  the  hypothesis  that  no  failures  have  occurred.  If 
the  errors  are  consistently  larger  than  anticipated  under  the  no  failure 
hypothesis,  then  the  likelihood  function  magnitude  will  grow  abnormally 
large. 

The  value  of  N  is  a  design  variable.  Very  small  values  are  avoided 
since  individual  error  samples  of  large  magnitude  are  expected  even 


under  normal  conditions.  On  the  other  hand,  very  large  values  should  be 
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avoided  because  sensitivity  to  actual  sensor  failures  would  then  be  re¬ 
duced  substantially.  Furthermore,  the  N  most  recent  samples  of  data 
must  be  maintained  in  storage,  so  large  N  is  avoided  from  a  considera¬ 
tion  of  memory  and  computational  loading  of  the  onboard  computer.  This 
investigation  has  demonstrated  that  a  choice  of  N  between  5  and  20 
yields  good  performance. 

Initially,  failures  were  declared  when  the  likelihood  function  mag¬ 
nitude  surpassed  a  threshold  that  represented  the  largest  magnitude  at¬ 
tained  under  any  normal  operational  condition.  This  threshold  value  for 
each  likelihood  function  can  be  altered  by  data  input  to  the  software 
package.  However,  analysis  of  the  results  indicated  that  this  procedure 
resulted  in  rather  high  threshold  magnitudes.  Certain  types  of  maneu¬ 
vers  would  generate  large  transient  magnitudes  with  no  failures  simu¬ 
lated,  especially  in  the  attitude  filters.  Using  these  magnitudes  to 
set  threshold  values  inhibited  failure  detection  during  straight  and 
level  flight,  the  type  of  flight  regime  that  composed  the  majority  of 
time  spent  in  the  air.  Consequently,  it  is  useful  to  specify  both  a 
threshold  value  and  a  parameter  to  indicate  the  time  (or  number  of 
algorithm  iteration  periods)  that  the  threshold  must  be  consistently 
surpassed  before  a  failure  is  declared.  Such  a  "time-to-failure-declar- 
ation"  parameter  is  also  a  control  variable  set  by  control  data  input 
for  each  likelihood  function  individually.  This  will  be  discussed 
further  in  Section  III. 2. 5. 

The  algorithm  iteration  rate,  or  data  sample  rate,  is  also  a  design 
parameter.  In  this  investigation,  a  sample  period  of  0.2  seconds  was 
found  to  yield  adequate  performance  without  overburdening  the  computer 
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capabilities  in  any  way.  Longer  sample  periods  tended  to  have  unaccept¬ 
ably  long  mean  times  to  detection  of  failures  and  poor  state  estimate 
propagation  in  the  filters  between  sample  times,  especially  in  the  case 
of  the  attitude  filters  using  a  first  order  integration  of  nonlinear 
equations.  On  the  other  extreme,  shorter  sample  periods  tended  to  yield 
superior  performance  but  the  advantage  gained  was  questionable  compared 
to  the  additional  computer  loading. 

The  outputs  of  the  software  package  contribute  significantly  to  its 
potential  use  as  a  design  tool.  A  single  run  of  the  program  can  gener¬ 
ate  a  substantial  amount  of  printout  and  plot  data  (using  control  input 
cards  to  determine  how  much  is  actually  provided),  including: 

(1)  For  each  state  variable  in  the  Kalman  filters,  the  value  of 

<x  -  xt> 

(2)  The  corresponding  error  standard  deviations  as  estimated  by 
the  filters 

(3)  The  values  of  x  and  P,  and  7  and  M,  as  well  as  z  and  u^  for 
each  Kalman  filter 

(4)  For  the  attitude  filters,  the  optimal  estimate  x  obtained  by 
combining  the  two  individual  filters,  the  corresponding  values 
of  (x  -  xt)  and  P,  and  z ^  obtained  by  combining  only  INS  and 
AHRS  data 

(5)  Individual  likelihood  functions 
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(6)  Threshold  values  and  time-to-fai lure-declaration  parameters 
for  each  likelihood  function 

(7)  Time  and  type  of  failures  declared  during  the  run 

(8)  Single  likelihood  function  terms  and  corresponding  squared  re¬ 
siduals  and  estimated  residual  error  covariances 

(9)  The  minimum  and  maximum  values  attained  by  each  likelihood 
function  in  the  most  recent  fJ  iterations 

(10)  Periodically,  all  pertinent  simulation  parameters  or  real 
environment  data. 


The  first  two  outputs  facilitate  the  setting  of  and  R^j  of 
equations  (72)  and  (73).  For  a  given  state  variable  x,  x  is  the  filter 
estimate  of  its  value  and  x^  is  the  "true"  value  as  provided  by  the  sim¬ 
ulation.  (Note  again  that  x^  is  not  available  when  real  data  tapes  sup¬ 
plant  the  simulations  of  aircraft  and  sensors.)  The  difference 
(x  -  xt)  is  then  printed  out  every  iteration,  and  a  plot  of  its  values 
over  the  entire  test  trajectory  is  generated  as  well.  This  can  then  be 
compared  to  printouts  and  plots  of  the  corresponding  standard  deviations 
(lo  values)  as  estimated  by  the  Kalman  filters.  In  fact,  these  are 


simply  the  square  roots  of  the  diagonal  terms  of  the  propagated  error 
covariance  matrix,  P.  To  "tune"  the  filters,  the  pseudonoise  strengths 
are  adjusted  until  the  (x  -  xt)  sequence  and  the  standard  deviations 
correspond  such  that  95»  of  the  true  error  sequence  lies  within  the  2a 
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envelope  generated  by  the  standard  deviation.  In  practice,  this  tuning 
is  accomplished  more  easily  with  plots  of  (x  -  x^)  and  the  2o  envelope 
than  with  digital  printout,  so  such  plots  are  produced  by  the  software. 

The  third  set  of  outputs  allows  an  evaluation  of  the  filter  state 
estimation  capability.  Both  the  estimates  just  before  and  just  after 
incorporation  of  a  measurement  are  included  to  portray  the  separate  ef¬ 
fects  of  time  propagation  of  the  state  estimate  and  updates  at  measure¬ 
ment  times.  In  the  case  of  the  attitude  filters,  this  is  especially 

valuable  for  determining  the  adequacy  of  the  simple  integration  algo- 

_  /\ 

rithm  for  propagation:  if  x  is  consistently  poor  and  x  substantially 
better,  then  some  alteration  of  the  filter  propagation  technique  is  ad¬ 
visable,  whether  it  be  a  higher  order  integration  technique,  or  the 
simple  method  applied  iteratively  to  partitions  of  the  time  interval 
between  measurements,  or  a  smaller  overall  sample  period. 


With  regard  to  the  fourth  set  of  outputs,  each  of  the  two  attitude 
filters  generates  optimal  estimates  of  the  Euler  angles.  Denote  the 
output  of  the  filter  driven  by  AFCS  rate  gyros  and  the  INS  as  x^<-  and 
PjNS,  and  similarly  let  the  outputs  of  the  filter  driven  by  the  AFCS 
rate  gyros  and  AHRS  be  x^HR<-  and  If  reasonable  state  estimation 

performance  were  achieved,  it  would  be  valuable  to  calculate  an  "over- 

A 

all -optimal"  state  estimate,  Overall >  combined  the  data  from  a1I 
three  sensor  systems.  Its  value  would  be  computed  as 


^OVERALL 


p  -1  .  p  -1 

--INS  I-AHRS 


-1 


-1 


-INS 


-INS  +  -AHRS 


-1 


-AHRS 


(74) 
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This  could  be  approximated  (with  substantial  decrease  in  computer  loading) 
on  a  component-by-component  basis  as 


OVERALL ■ 


_ J _  +  _ L .  - 

P  INS-,- 1  P  AHRS-j  -j 


XINS .  XAHRS . 

_ L  + _ i_ 

'"S„  pahrsh 


PIN5jjt  PAHRSi;L"RSii  X"‘Si  ^  P,NSii  XflHRSiJ  1751 


The  overall  error  convariance  would  be  calculated  as 

P  =  P  +  P  ( 76) 

^-OVERALL  -INS  -AHRS 

Comparing  the  lo  values  from  this  P^^ and  the  sequence  of  (^VERALL 
-  x^.)  would  then  indicate  the  state  estimation  capability  of  this  com¬ 
bined  estimate. 


However,  the  state  estimation  performance  of  the  3-dimensional 
attitude  filters  is  poor  because  of  simplified  propagation  models  within 
the  filters.  Therefore,  such  an  "overall-optimal"  estimate  is  not 
warranted.  If  a  more  sophisticated  propagation  model  were  incorporated, 
this  would  be  a  viable  concept.  Such  a  sophisticated  model  would  be  of 
higher  dimension  than  three,  so  equations  (74)  and  (76)  would  be  com¬ 
putationally  burdensome.  One  could  then  utilize  the  approximation  of 
equation  (75)  or  use  the  relationships 


Overall  =  -ins  +  [zahrs  '  -  -ins 

-K0  =  -INS  -  -TNS  ii  + 


INS  -  ^AHRS- 


^OVERALL  =  -INS  '  — o  -  -INS 
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where  the  inverse  in  equation  (78)  is  a  (3  x  3)  matrix  inversion.  That 
these  equations  duplicate  equations  (74)  and  (76)  can  be  proven  by  meth- 
ods  presented  in  Reference  [  ]. 

The  variable  ^  mentioned  in  the  fourth  set  of  outputs  is  the 
weighted  average  of  the  measurements  taken  from  the  INS  and  AHRS: 


rins  2jns  +  r-ahrs~V?ahrs  (80) 


^AVG  =  RINS  1  +  -tAHRS 


If  Rins  and  Rahr$  are  diagonal  matrices  (as  they  often  are),  then  a 

relationship  similar  to  (75)  would  be  exact,  rather  than  an  approxima¬ 
tion: 


Zfl,Gi  '  Rl«si(+W..'  R«  2!NS  *  R1NS..  zmrs,  W) 

11  1  1  L  11  1 

Such  an  evaluation  would  be  a  best  estimate  of  the  Euler  angles  based  on 
both  INS  and  AHRS  data,  useful  in  the  event  that  a  failure  were  to 
affect  the  AFCS  rate  gyros. 

The  fifth  set  of  outputs  are  printouts  and  plots  of  the  likelihood 
function  values  over  a  given  computer  run.  Especially  useful  are  the 
Plots  of  the  individual  likelihood  functions,  since  the  stead  -state  and 
transient  characteristics  of  those  functions  will  be  of  utmost  impor¬ 
tance  in  the  declaration  of  failed  sensors.  The  distinguishing  aspects 
between  the  likelihood  functions  resulting  from  normal  operation  and 
those  generated  when  a  failure  has  occurred  can  be  more  readily  dis¬ 
cerned  from  time  plots  than  from  data  printout.  In  fact,  it  was  the  use 
of  these  plots  that  enabled  this  investigation  to  improve  the  failure 
detection  capabilities  of  the  functional  redundancy  method  so  markedly. 
Understanding  the  dynamic  characteristics  of  the  likelihood  functions 
suggested  the  incorporation  of  "time- to- fai lure-declaration"  parameters 
in  conjunction  with  thresholds  for  each  likelihood  function,  both  of 
which  are  also  printed  outputs  of  the  software  package. 
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Besides  outputting  the  individual  likelihood  functions  (each  of 
which  is  an  N-step  sum),  the  software  also  prints  out  the  value  of  the 
individual  terms  that  compromise  the  likelihood  functions,  i.e.,  terms 
of  the  form  { - 1 /2 [e  (i)/o  (i)]}.  Also  printed  are  the  individual  values 
of  e  (i),  the  squared  value  of  the  observed  residual,  and  of  o  (i),  the 
variance  of  the  residual  sequence  as  propagated  by  the  filter  itself. 

If  and  when  large  magnitude  likelihood  functions  or  other  off-nominal 
characteristics  occur,  then  these  outputs  aid  the  analysis  of  their 
generation. 

The  final  selection  of  appropriate  values  for  the  thresholds  and 
time-to-fai lure-detection  parameters  for  each  likelihood  function  is 
expedited  by  observing  the  minimum  and  maximum  likelihood  function  mag¬ 
nitude  in  the  last  I  iterations,  where  I  is  an  adjustable  integer.  Here 
I  is  actually  a  proposed  value  for  the  number  of  algorithm  iterations 
before  a  failure  is  declared.  By  looking  at  both  no-failure  and  sensor 
failure  test  cases,  the  threshold  and  I  values  can  be  chosen  so  that 
(ideally)  no  normal  operation  will  cause  the  likelihood  function  to  ex¬ 
ceed  the  threshold  for  I  consecutive  iterations,  while  (ideally)  all  ap¬ 
propriate  failure  cases  will  cause  this  threshold  to  be  surpassed  for  at 
least  I  iterations  consecutively. 

The  periodic  display  of  all  pertinent  simulation  or  real  environ¬ 
mental  data,  in  addition  to  model  reference  and  likelihood  function  per¬ 
formance  information,  is  performed  for  convenience  of  the  user.  Whether 
or  not  this  display  is  made,  and  its  frequency  of  occurrence,  can  be 
controlled. 

I 
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2.4  FILTER  TUNING 

As  described  previously,  the  Kalman  filters  are  tuned  by  adjusting 
and  R^pj  until  the  sequence  of  (x  -  x^)  values  in  each  filter  cor¬ 
relates  well  with  the  standard  deviations  propagated  in  the  filter  P  ma¬ 
trices  during  a  set  of  Monte  Larlo  runs.  This  adjustment  is  an  iter¬ 
ative  trial  and  error  process,  but  some  guidance  can  be  suggested  for 
the  procedure. 


First  of  all,  the  sequence  of  differences  between  the  simulated 
output  of  any  sensor  and  the  simulated  "true"  value  of  the  variable 
should  be  analyzed  to  verify  that  the  established  values  of  Q.$£NsgR  and 
-SENSOR  corre^ate  reasonably.  If  real  data  is  used  instead  of  simulated 
data,  some  calibration  period  or  other  similar  condition  will  provide 
sensor  output  during  which  time  the  true  value  of  the  measured  parameter 
is  known,  and  a  similar  procedure  can  be  followed. 


If  the  P  matrix  underestimates  the  error  statistics,  especially  dur¬ 
ing  periods  of  significant  maneuvering,  i.e.,  in  a  transient  manner,  the 
values  of  Q^pj  rather  than  R^pj  should  be  increased.  Thus,  if  the  error 
in  the  roll  estimate  exceeds  the  level  predicted  by  P  for  a  time  inter¬ 
val  after  a  roll  maneuver,  then  the  corresponding  element  in  Q^pj  would 
be  increased  to  show  a  decreased  confidence  in  the  ability  of  the  filter 
dynamic  model  to  represent  the  physical  situation  adequately.  This  ad¬ 
justment  should  be  coordinated  with  the  effects  on  the  appropriate  like¬ 
lihood  function  plots.  This  sensitivity  to  trajectory  dynamics  is 
treated  more  fully  in  paragraph  2.6  of  this  section. 
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In  the  case  of  the  two  attitude  filters,  each  driven  by  the  same 
rate  gyro  information,  if  the  characteristics  with  which  P  mi srepresents 
the  true  error  covariance  are  very  similar  in  the  two  filters,  then  ad¬ 
justment  of  is  appropriate.  However,  if  only  one  P  misrepresents 
the  error  covariance  significantly,  then  its  associated  R^j  should  be 
compensated. 

2.5  THRESHOLDS  AND  TIME -TO- FAILURE -DECLARATION  PARAMETERS 

Standard  procedure  for  setting  thresholds  for  likelihood  function 
hypothesis  testing  would  be  to  conduct  a  number  of  trials  with  no  fail¬ 
ures  and  determine  the  largest  magnitude  attained  by  each  of  the  likeli¬ 
hood  functions.  Then  a  series  of  failure  runs  would  be  made,  and  the 
minimum  magnitudes  of  likelihood  functions  that  are  expected  to  demon¬ 
strate  a  sensitivity  to  a  certain  failure  are  recorded.  If  a  region  of 
uncertainty  is  thereby  established,  i.e.,  if  there  exist  some  likelihood 
function  magnitudes  below  the  largest  magnitude  achieved  with  no  fail¬ 
ures  while  above  the  smallest  magnitudes  attained  with  pertinent  fail¬ 
ures,  then  some  compromise  is  necessary.  It  might  be  appropriate  to 
set  the  threshold  so  as  to  preclude  either  false  alarms  or  missed 
alarms  (not  both),  or  to  choose  a  threshold  level  between  these  two  ex¬ 
tremes  and  accept  some  percentage  of  both  missed  alarms  and  false  alarms. 

Considerable  effort  was  expended  in  an  attempt  to  make  thresnold 
setting  more  methodical,  rather  than  simply  looking  at  highest  likeli¬ 
hood  values  attained  under  normal  conditions  and  the  lowest  attained 
under  failed  conditions.  What  resulted  was  a  means  of  predicting  the 
probability  of  detection  and  probability  of  missed  alarm  when  a  sensor 
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failed,  as  a  function  of  the  threshold  setting.  Similarly,  the  proba¬ 
bilities  of  no  alarm  or  a  false  alarm  when  a  failure  did  not  actually 
occur  could  also  be  calculated  as  a  function  of  threshold  level. 


Such  a  description  of  the  probability  of  the  detection  logic  sig¬ 
nalling  a  failure  is  developed  in  the  following  manner.  A  failure  is 
declared  if  the  likelihood  function  becomes  more  negative  than  some 
threshold  level;  i.e.,  if 


<  -T 


(82) 


where  T  is  the  magnitude  of  the  threshold  and  L^(i)  is  approximated  as 
(see  Section  II. 1 .4): 


U,(i) 


l 

j = i  -m  ■*- 1 


e2(j)/o2(j) 


(83) 


When  a  Kalman  filter  model  reference  is  used,  e(j)  is  one  of  the  filter 
residuals  and  o  (j)  is  the  filter's  estimate  of  the  variance  of  that  re¬ 
sidual  error,  as  given  in  equations  (43)  and  (44,.  Thus  a  failure  is 
declared  if: 


i 

S 

j  =  i-mH 


e2(j)/a2(j)] 


>  2T 


(84) 


First  consider  the  simplest  case  of  N  =  1.  Then  equation  (84)  relates 
that  a  failure  is  declared  if 

( e ( i ) |  >  V2T  o(i)  (85) 

Now  assume  that  the  actual  residuals,  under  either  no-failure  or  failed 
conditions,  can  be  described  (or  at  least  approximated)  statistically  by 
a  Gaussian  density  with  mean  b(i)  and  variance  at ( i ) .  Then  the  proba¬ 
bility  of  declaring  a  failure  is  the  shaded  area  in  Figure  4.  If  this 
plot  is  normalized  by  using  ot  as  a  scaling  factor,  as  in  Figure  4,  then 
the  probability  of  declaring  a  failure  can  be  computed  from  unit  normal 
density  tables  for  selected  numerical  values  for  (b/a^)  and  (/?T  a/ot). 
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It  is  then  possible  to  plot  the  probability  of  declaring  a  failure  as  a 
function  of  b/o^,  for  different  values  of  the  normalized  threshold 
fZX  o/cfj..  This  is  presented  in  Figure  5,  for  normalized  threshold 
values  of  0.5,  1,  1.5,  2,  and  3.  Also  plotted  on  this  figure  is  the 
locus  of  probabilities  of  declaring  a  failure  when  the  actual  mean  of 
the  residual  density,  b,  assumes  the  critical  value  for  failure  declar¬ 
ation,  y/TT  a.  (Note  that  an  actual  failure  would  probably  cause  b  to  be 
greater  than  this  value  or  causes  ot  to  be  very  large.) 

Referring  back  to  Figure  4a,  another  useful  means  of  presenting 

this  data  would  be  to  plot  probabilities  of  failure  declaration  as  a 

function  of  ( — - — •) .  This  is  possible,  since  — —  =  (b/o.)/(./2T  a/a.) 

S2Ta  S?Ta  t  1 

and  is  depicted  in  Figure  6.  Here,  the  locus  of  b  -  ^2f  a  is  along  the 

vertical  line  at  b  =  1. 

/2T  a 

For  N  greater  than  one,  a  similar  procedure  would  be  used.  Assume 

that  the  filter  estimate  of  variance  does  not  change  significantly  in  N 

sample  periods,  that  the  N  residuals  are  each  described  by  a  Gaussian 

2 

density  with  mean  b  and  variance  a t  as  before,  and  that  the  N  values 
formed  by  subtracting  b  from  each  residual  are  uncorrelated.  Then  a 
parallel  development  is  possible,  except  that  the  probability  density  of 
a  Gaussian  random  variable  is  replaced  with  the  density  of  a  chi  vari¬ 
able  with  N  degrees  of  freedom  [Ref.  4].  For  each  value  of  N,  a  plot 
similar  to  Figure  5  can  be  developed. 


AFFDL-TR-76-93 


39 


AFFDL-TR-76-93 


Thus,  a  more  complete  knowledge  of  system  performance  can  be  at¬ 
tained  by  predicting  the  probabilities  of  detected  failures,  false 
alarms,  and  missed  alarms.  To  this  point,  however,  an  essentially 
static  analysis  of  the  likelihood  function  value  has  been  employed  to 
establish  a  single  criterion  for  declaring  a  failure--that  of  surpassing 
a  selected  threshold  value. 

Another  alternative  avails  itself  when  the  dynamic  characteristics 
of  likelihood  function  values  are  investigated.  Such  analysis  is 
greatly  aided  by  the  time  plots  of  likelihood  functions  generated  by 
the  software  package.  Certain  trends,  transients,  and  other  character¬ 
istics  become  evident  in  these  plots  which  serve  to  differentiate  be¬ 
tween  no-failure  and  failed  sensor  circumstances. 

One  significant  discernible  characteristic  is  the  sensitivity  of 
certain  likelihood  functions  to  rapid  changes  in  aircraft  orientation. 
Immediately  following  a  rapid  roll  to  initiate  a  turn,  the  likelihood 
functions  corresponding  to  the  roll  Euler  angle  undergo  a  transient 
growth  in  magnitude  with  rapid  decay.  (The  length  of  time  for  recovery 
from  the  transient  is  a  function  of  N,  the  number  of  times  any  given  re¬ 
sidual  will  be  maintained  in  the  likelihood  function  evaluation.)  If 
such  transients  could  be  masked  out,  the  thresholds  for  declaring  fail¬ 
ures  can  be  set  substantially  tighter,  while  simultaneously  minimizing 
the  probability  of  declaring  false  alarms.  This  is  true  because  the 
standard  techniques  of  threshold  setting  would  record  the  peaks  of 
these  transient  magnitudes  as  levels  above  which  the  threshold  should  be 
set  to  preclude  false  alarms.  Actually,  the  typical  likelihood  function 
magnitudes  are  substantially  lower  than  these  peaks.  If  the  transients 
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could  be  recognized  and  removed,  the  maximum  likelihood  function  magni¬ 
tude  under  normal  conditions,  other  than  rapid  transients,  and  thus  an 
appropriate  threshold  level  for  preventing  false  alarms,  would  be  sig¬ 
nificantly  lower  than  achieved  by  the  standard  approach. 

One  means  of  masking  out  these  transients  is  through  use  of  time- 
to-failure  declaration  parameters.  Suppose  it  is  known  that  transients 
occurring  during  normal  operation  will  surpass  a  certain  threshold  level 
but  will  rapidly  return  below  that  level,  while  any  pertinent  failure 
will  cause  the  likelihood  function  to  surpass  the  level  and  remain  above 
it.  Then  it  is  possible  to  establish  a  failure  detection  criterion  of 
the  form,  "If  the  likelihood  function  passes  a  given  threshold  level  and 
remains  above  it  for  a  specified  period  of  time  (or  number  of  algorithm 
iterations),  then  a  failure  is  declared." 

Setting  these  thresholds  and  time-to-failure-declaration  parameters 
must  be  done  in  a  coordinated  fashion.  If  a  long  time-to-failure- 
declaration  parameter  were  chosen,  a  tight  threshold  could  be  chosen 
with  few  false  or  missed  alarms,  but  at  the  expense  of  a  delay  in  de¬ 
claring  real  failures.  On  the  other  hand,  if  a  very  short  time-to- 
failure-declaration  parameter  were  chosen,  the  ambiguity  between  like¬ 
lihood  function  transients  and  behavior  due  to  real  failures  would  not 
be  substantially  decreased.  Consequently,  a  trade-off  must  be  conducted 
and  the  best  pair  of  values  (of  a  threshold  and  time-to-failure-declar¬ 
ation  parameter)  for  each  likelihood  achieved  after  some  iterative 
search.  Note  that,  for  a  likelihood  function  that  does  not  exhibit  such 
transient  behavior,  only  a  threshold  value  is  required. 
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2.6  SENSITIVITY  TO  AIRCRAFT  MANEUVERS 

The  sensitivity  of  certain  likelihood  functions  to  aircraft  maneu¬ 
vers  was  mentioned  as  the  primary  motivation  for  the  time-to-fai lure 
declaration  parameters.  In  this  section,  an  elaboration  of  this  sensi¬ 
tivity  will  be  made,  indicating  causes,  means  of  alleviation,  and  ef¬ 
fects  upon  failure  detection  philosophy. 

Figure  7  is  a  typical  plot  of  the  likelihood  function  corresponding 
to  the  roll  Euler  angle  in  the  AFCS-INS  Kalman  filter  in  a  no-failure 
simulation  run.  The  two  transient  dips  occur  at  the  times  when  the  air¬ 
craft  first  rolls  to  initiate  a  turn  and  then  again  when  it  rolls  to  re¬ 
sume  straight-and-level  flight.  It  is  noted  that  the  likelihood  func¬ 
tion  employed  was  a  10-step  sum  of  terms  (i.e,  N  =  10),  and  that  both 
the  rate  of  recovery  from  such’  transients  and  the  ratio  of  transient 
peak  value  to  "normal"  likelihood  function  value  are  a  function  of  N. 
During  che  turn  itself,  the  likelihood  function  returns  to  a  "normal" 
magnitude;  it  is  only  the  rolling  maneuvers  themselves  that  generate  the 
transient  behavior. 

This  behavior  can  be  attributed  to  the  inability  of  the  first  order 
integration  of  simplified  nonlinear  equations  to  model  adequately  the 
true  dynamics  of  a  rapid  change  in  aircraft  orientation.  Therefore, 
some  means  of  reducing  the  effect  would  be: 

(1)  improving  the  dynamics  model,  at  the  expense  of  higher  dimen¬ 
sional  state  vectors  in  the  filters  and  computer  loading; 


92 


AFFDL-TR-76-93 


(2)  improving  the  means  of  integration:  higher  order  techniques, 
smaller  iteration  periods,  etc.,  but  again  at  the  expense  of 
computer  loading; 

(3)  increasing  the  driving  noise  covariance  £  in  the  filters  be¬ 
yond  the  value  which  yields  good  filter  performance  in  a  less 
maneuvering  flight  mode  to  indicate  reduced  confidence  in  the 
model  employed;  but,  this  would  tend  to  decrease  detection 
sensitivity  for  such  conservative  flight  modes. 

For  a  feasible  onboard  implementation,  the  simplest  algorithm  that 
yields  suitable  performance  would  be  most  preferable,  so  items  (1)  and 
(2)  above  would  require  substantial  performance  improvement  to  be  war¬ 
ranted,  as  they  do  entail  significant  increases  in  computer  time  and 
memory.  With  regard  to  (1),  (2),  and  (3),  the  simple  model  is  in  fact 
adequate  for  a  more  benign  flight  regime,  and  should  be  exploited  if 
possible. 

The  detection  thresholds  should  probably  be  set  as  tightly  as  pos¬ 
sible  to  the  likelihood  function  values  achieved  in  normal  straight  and 
level  flight.  This  is  the  flight  regime  that  composes  the  vast  majority 
of  time  in  the  air.  Also,  it  is  the  regime  that  is  best  modelled  by  the 
simplified  dynamics  models  embodied  in  the  filters,  so  the  validity  of 
detection  is  greatest  for  this  regime  as  well. 

If  this  philosophy  is  accepted,  some  accounting  must  be  made  for 
the  transients  incurred.  One  method  might  be  to  declare  a  potential 
failure,  remove  the  sensor  from  the  filter  inputs  (especially  if  the 
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filter  can  operate  without  it),  but  allow  immediate  recertification  of 
the  sensor.  Besides  causing  nuisance  alarms,  this  technique  would  re¬ 
sult  in  the  loss  of  some  valuable  data  before  recertifiction  if  a  fail¬ 
ure  did  not  really  occur. 

Another  method  would  be  to  use  the  time-to-failure-declaration  pa¬ 
rameter  concept  as  described  in  the  last  section.  This  is  a  rather  sim¬ 
ple  and  effective  solution  to  the  problem,  but  does  suffer  from  causing 
some  delay  in  declaration  of  actual  failures.  Such  a  delay  would  result 
not  only  in  use  of  bad  data  by  the  aircraft  control  system,  but  might 
also  cause  filter  performance  to  diverge  beyond  the  point  of  recovery 
once  the  bad  data  were  removed  from  its  input  channels. 


If  the  time-to-failure-declaration  parameter  concept  is  not  ade¬ 
quate,  making  the  failure  detection  logic  adaptable  to  the  amount  and 
type  of  maneuvering  might  be  considered.  By  monitoring  control  surfaces 
such  as  ailerons,  or  commands  sent  to  these  control  surfaces  by  the 
pilot  and  autopilot,  the  detection  logic  could  know  when  high  roll  rates 
or  other  transient-inducing  phenomena  were  going  to  occur.  Under  "nor¬ 
mal"  flight  conditions,  the  logic  would  employ  the  appropriately  tight 
thresholds.  When  informed  of  such  transient-inducing  phenomena,  it 
could 

(1)  simply  nullify  any  failure  declarations  due  to  threshold  pas¬ 
sage  until  the  phenomena  terminated  (as,  until  high  roll  rates 
are  no  longer  sensed  or  commanded), 

(2)  invoke  higher  magnitude  thresholds  until  the  phenomena  termi¬ 
nated,  or 
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(3)  invoke  the  additional  time-to-fai lure  declaration  criterion 
besides  threshold  passage  during  this  time  period. 

It  should  be  mentioned  that  one  reason  for  conducting  flight  tests 
to  generate  real  data  is  to  corroborate  the  characteristics  of  Figure  7. 
There  was  some  question  about  the  realism  of  roll  angle  values  generated 
by  the  simulation  program  during  a  roll  maneuver.  Although  the  same  ba¬ 
sic  trend  of  this  figure  is  anticipated,  the  exact  character  of  the 
transients  may  well  be  less  pronounced  using  real  data.  Nevertheless, 
this  effort  has  assumed  that  the  simulation  is  valid  in  order  to  conduct 
performance  analyses  (subject  to  revision  if  necessary). 

2.7  SENSITIVITY  TO  INSTRUMENT  BIASES 

Sensitivity  of  performance  to  in-tolerance  instrument  biases  is  an 
important  concern.  Therefore,  twenty-four  separate  biases  are  individu¬ 
ally  adjustable  in  the  design  tool -performance  analysis  program  package. 
These  are  the  separate  biases  on  the: 


(1) 

three  Euler  angle  outputs  of  the 

INS 

(2) 

three  accelerometers  of  the  INS 

(3) 

three  gyros  of  the  INS 

(4) 

three  Euler  angle  outputs  of  the 

AHRS 

(5) 

two  axes  of  the  vertical  gyro  of 

the  AHRS 

(6) 

directional  gyro  of  the  AHRS 

(7) 

compass  of  the  AHRS 

(8) 

normal  accelerometer  of  the  AFCS 

(9) 

three  rate  gyros  of  the  AFCS 

00) 

static  pressure  signal  of  the  ADS 
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(11)  pitot  pressure  signal  of  the  ADS 

(12)  angle  of  attack  output  of  the  ADS 

(13)  total  temperature  output  of  the  ADS. 

Both  statistical  and  noise  case  descriptions  of  these  biases  were 
developed  for  the  equipment  used  in  the  F-4.  With  these  values,  real¬ 
istic  effects  due  to  in-tolerance  sensor  biases  could  be  analyzed  by  the 
software  package.  Computer  runs  were  conducted  with  all  biases  zeroed 
except  for  one  (to  study  sensitivity  of  performance  to  individual  biases), 
and  all  set  to  representative  values  (to  investigate  combined  effects). 

By  determining  which  individual  bias  variations  cause  the  most  degrada¬ 
tion  in  performance,  one  can  specify  which  sensors  must  have  the  tight¬ 
est  bias  drift  characteristics  for  utilization  in  the  integrated  data 
system. 

2.8  PREFLIGHT  INITIALIZATION 

A  data  reduction  program  capable  of  efficient  calculation  of  the 
mean,  variance,  and  whiteness  of  a  sequence  of  sampled  data  signal 
values  was  described  earlier  in  paragraph  2.2  of  this  section.  One 
application  of  this  program  would  be  for  preflight  initialization.  As 
envisioned  here,  a  standard  test  computer  program  could  be  implemented 
in  ground  support  equipment  (or  possibly  onboard)  to  produce  good  ini¬ 
tialization  before  each  flight  of  the  vehicle. 

First  of  all,  by  running  the  sensor  systems  in  a  preflight  test 
when  the  true  values  of  measured  parameters  are  available,  the  computed 
mean  of  signal  values  can  be  used  to  estimate  the  biases  in  the  indi¬ 
vidual  sensors.  From  analysis  of  sensor  performance  data  it  can  be  seen 
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that  typically  the  turnon-to-turnon  nonrepeatability  is  considerably 
greater  than  instrument  bias  drift  generated  during  the  mission  flight 
period.  Thus,  if  the  biases  were  estimated  each  time  the  instruments 
were  turned  on,  then  these  bias  estimates  would  be  valid  for  the  endur¬ 
ance  of  the  mission.  Such  compensation  would  improve  sensor  system 
performances,  decrease  concern  about  sensitivity  of  detection  to  biases, 
increase  the  adequacy  of  the  simple  dynamic  models  in  the  filters,  and 
substantial ly  reduce  the  need  of  adding  on-line  bias  estimation  capabil¬ 
ity  to  these  filters. 

Furthermore,  the  estimation  of  variance  could  be  exploited  as  well. 
The  B5EN5QR’  ^SENSOR’  ancl  va^ues  embodied  in  the  Kalman  filters  are 
established  by  statistical  testing  of  representative  instruments.  Pre¬ 
flight  analysis  of  sensors  could  determine  if  the  particular  sensors  on¬ 
board  the  aircraft  perform  in  the  same  manner  as  the  "population  statis¬ 
tics"  would  indicate.  In  other  words,  valid  values  of  ^SENSOR’  -SENSOR’ 
and  could  be  obtained  for  each  individual  aircraft's  complement  of 
instrumentation.  In  addition  to  this  fine  tuning  to  particular  sensors, 
such  analysis  performed  routinely  on  the  same  aircraft  over  a  period  of 
time  could  indicate  aging  and  other  performance  trends  of  the  instru¬ 
ments  onboard. 

3.  MODES  OF  USAGE 

Once  the  functional  redundancy  logic  has  been  developed  with  the 
aid  of  the  design  tool,  onboard  implementation  can  be  considered.  This 
logic  is  not  meant  to  be  a  detection  system  unto  itself,  but  part  of  an 
integrated  failure  detection  system,  as  described  in  the  next  paragraph 
(3.1).  Section  3.2  subsequently  considers  the  various  appropriate  means 


AFFDL-TR-76-93 

of  declaring  failures  with  the  functional  redundancy  logic.  Then  Sec¬ 
tion  3.3  investigates  how  the  data  system  might  adapt  and  reconfigure 
itself,  once  a  failure  has  been  declared.  As  will  become  apparent,  the 
choices  made  here  can  yield  implementations  that  range  from  very  simple 
to  very  sophisticated. 

3.1  INTEGRATED  FAILURE  DETECTION  SYSTEM 

As  mentioned  in  the  beginning  paragraphs  of  Section  I,  the  func¬ 
tional  redundancy  concept  is  meant  to  complement,  rather  than  totally 
replace,  other  means  of  sensor  failure  detection.  By  being  used  in 
conjunction  with  hardware  redundancy,  deterministic  tests,  built-in-test 
(BIT),  and  ground  support  methods,  an  efficient,  integrated,  failure 
detection  system  can  be  achieved. 

Functional  redundancy  is  not  the  most  appropriate  technique  for  the 
entire  failure  detection  system.  For  instance,  BIT  and  reasonableness 
tests  can  readily  detect  many  hard  failures  with  very  little  computa¬ 
tion.  On-line  estimation  and  compensation  of  biases  and  scale  factor 
errors  are  more  easily  achieved  by  hardware  redundancy,  though  func¬ 
tional  redundancy  can  provide  an  "extra  voter"  in  the  original  detec¬ 
tion.  Also,  because  of  the  response  time  of  the  logic,  functional 
redundancy  would  probably  not  be  the  sole  means  of  detecting  failures  of 
sensors  that  are  critical  to  safety  of  flight. 

However,  functional  redundancy  does  provide  a  substantial  contri¬ 
bution  to  such  an  integrated  failure  detection  system.  It  significantly 
reduces  the  required  hardware  redundancy  for  attaining  "two-fail -operate" 
capabilities  or  other  similar  degrees  of  reliability.  By  correlating 
data  from  different  types  of  data  sensors,  it  removes  the  need  for  a 

proliferation  of  identical  sensors  onboard  an  aircraft. 
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3.2  MEANS  OF  DECLARING  FAILURES 

In  the  simplest  form,  a  failure  is  declared  if  a  likelihood  func¬ 
tion  surpasses  a  given  threshold  (which  may  or  may  not  be  adaptively  set 
to  aircraft  maneuvering).  For  some  likelihood  functions,  time-to- 
fai lure-declaration  parameters  are  also  incorporated  into  the  criterion 
for  failure  declaration.  However,  there  are  certain  additional  aspects 
of  failure  declaration  that  should  be  considered. 

If  a  time-to-failure-declaration  parameter  is  used  with  a  certain 
threshold  for  failure  detection,  it  may  be  desirable  to  be  able  to  de¬ 
tect  obvious  failures  without  the  inherent  delay  caused  by  that  param¬ 
eter.  For  that  reason,  a  second,  larger  threshold  might  be  established 
such  that  if  the  likelihood  function  surpasses  both  thresholds,  then  a 
failure  is  declared  immediately.  Such  a  multiple  threshold  could  be 
used  to  discriminate  between  hard  failures  (in  which  no  useful  data 
would  be  expected)  and  soft  failures  (which  could  result  in  degraded 
sensor  performance,  but  some  useful  information  still  is  expected  to  be 
available  from  the  sensor).  This  discrimination  capability  might  war¬ 
rant  different  data  system  adaptations  to  hard  and  soft  failures,  as 
discussed  in  the  next  section. 

Multiple  thresholds  might  also  be  used  to  advantage  in  another  way. 
A  smaller  threshold  might  be  established  and  time  beyond  that  threshold 
recorded  as  an  indication  of  a  sensor  starting  to  go  out  of  tolerance, 
or  degrade  in  some  other  manner,  without  actually  failing.  Such  a  test 
could  be  conducted  with  ground  equipment  rather  than  on-line  at  all 
times. 
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By  referring  to  Table  IV  in  Section  II. 2. 6,  it  can  be  seen  that 
failure  isolation  is  dependent  upon  which  of  the  ten  likelihood  func¬ 
tions  are  beyond  threshold  value.  Certain  failures  affect  a  single 
likelihood  function  while  other  failures  affect  a  number  of  them.  Thus, 
if  a  failure  that  affected  two  or  more  likelihood  functions  were  to 
occur,  and  the  thresholds  were  passed  at  slightly  different  times,  it  is 
possible  to  mistakenly  declare  a  failure  that  affects  the  single  like¬ 
lihood  function  that  surpasses  its  threshold  first.  For  that  reason,  it 
might  be  advantageous  to  signal  an  alarm  that  some  failure  has  occurred, 
giving  the  possible  failures.  The  probability  that  the  failure  is 
actually  one  that  affects  multiple  likelihood  functions  can  be  deter¬ 
mined  by  monitoring  the  magnitudes  of  the  other  likelihood  functions. 

If  they  are  of  normal  magnitude,  the  failure  that  affects  only  one 
likelihood  function  can  be  declared.  However,  if  they  too  are  above 
normal  magnitude,  failure  isolation  might  be  delayed  for  one  or  a  few 
algorithm  iterations,  to  be  more  sure  of  what  failure  did  in  fact  occur. 
In  the  interim  period,  the  most  likely  failure  might  be  displayed,  or 
all  possible  failures  shown  with  an  indication  of  the  most  probable  one, 
or  no  indication  made  other  than  a  signal  that  some  failure  has  occurred. 

3.3  LOGIC  ADAPTATION  TO  FAILED  SENSORS 

If  a  sensor  has  failed,  its  inputs  to  the  detection  logic  would  be 
removed,  as  described  in  Section  II. 2. 8.  The  theoretical  question  of 
observability  of  the  resulting  filter  models  when  various  sensors  have 
been  removed  was  investigated.  It  was  also  mentioned  that  such  degraded 
model  references  could  provide  estimated  values  of  INS  or  AHRS  Euler 
angles,  AFCS  normal  acceleration,  or  ADS  altitude,  vertical  velocity  or 
indicated  airspeed. 
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Removal  of  sensor  signals  from  the  rate  gyros  to  the  attitude 
Kalman  filters,  or  from  the  INS  vertical  accelerometer  to  the  vertical 
filter,  precludes  the  operation  of  those  filters.  Unless  a  hard  failure 
were  to  occur,  a  degraded  performance  mode  could  be  attempted  by  in¬ 
creasing  the  appropriate  elements  of  the  (£  matrices  in  the  filters  and 
accepting  the  poor  data.  This  form  of  adaptation  is  included  in  the 
software  package,  as  well  as  removal  of  failed  sensors  from  filter  input 
channels. 

If  soft  failures  can  be  distinguished  from  hard  failures,  as  men¬ 
tioned  in  the  previous  section  with  regard  to  multiple  thresholds,  then 
"failed"  sensors  need  not  be  removed  from  the  data  system.  A  hard  fail¬ 
ure  would  result  in  sensor  signal  removal,  with  zeroing  of  the  appropri¬ 
ate  il  matrix  elements.  However,  a  soft  failure  could  be  handled  by  in¬ 
creasing  the  magnitude  of  the  appropriate  element  in  the  R  covariance 
matrix.  Additionally,  if  the  failure  can  be  identified  as  a  stable 
shift  in  sensor  output,  rather  than  more  random  fluctuations,  then  some 
attempt  at  compensation  of  the  soft  failure  might  be  conducted  (using 
other  means  than  functional  redundancy  to  achieve  the  compensation). 

However  the  logic  adapts  to  the  failed  sensor,  there  will  be  a 
certain  period  of  time  required  for  the  model  references  and  likelihood 
functions  to  recover  to  "normal"  (but  degraded)  performance.  For  this 
reason,  when  a  failure  does  occur,  the  ability  to  declare  other  failures 
should  be  temporarily  inhibited  so  as  not  to  generate  many  false  alarms. 
An  indication  could  be  sent  to  the  pilot  to  inform  him  of  the  extent  of 
degraded  sensor  systems,  degraded  failure  detection  ability,  and  reduced 
mission  capabilities  that  result. 
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Once  a  sensor  has  been  declared  as  having  failed,  it  may  be  useful 
to  monitor  it  for  possible  recertification.  Especially  in  the  case  of 
soft,  stable  failures,  as  biases  whose  values  could  be  estimated  by 
other  means  and  then  compensated,  such  recertification  may  be  warranted. 
This  would,  however,  add  to  the  complexity  of  the  detection  logic. 

There  are  a  variety  of  means  of  declaring  failures  and  adapting  the 
logic  to  those  failures.  For  any  given  application,  a  trade-off  of  com¬ 
plexity  versus  performance  gain  would  be  required  before  deciding  upon 
the  eventual  mode  of  usage  of  the  functional  redundancy  failure  detec¬ 
tion  concept. 
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SECTION  IV 

EXPERIMENTAL  RESULTS 

1.  EXPERIMENTS  CONDUCTED 

This  section  presents  the  results  of  an  extensive  series  of  per¬ 
formance  analysis  simulations  conducted  to  demonstrate  the  capabilities 
of  the  functional  redundancy  failure  detection  algorithm.  It  will  be 
seen  that  the  feasibility  and  efficiency  of  the  algorithm  has,  in  fact, 
been  verified. 

By  first  generating  all  required  initial  conditions  through  a  long 
trajectory  simulation,  three  evaluation  trajectory  segments  were  estab¬ 
lished:  a  straight-and-level  flight  segment,  a  trajectory  composed  of  a 
roll  into  a  coordinated  turn  followed  by  another  roll  to  resume  straight- 
and-level  flight,  and  a  pitchover  and  descent.  As  mentioned  previously, 
this  simulation  was  "flown"  by  an  F-4  with  a  full  complement  of  par¬ 
ticular  sensors  normally  carried  onboard  such  an  aircraft,  except  that 
the  INS  characteristics  were  modified  to  be  more  representative  of 
state-of-the-art  technology. 

First  of  all,  a  Monte  Carlo  set  of  runs  was  performed  in  order  to 
establish  a  basis  of  comparison.  Two  different  sets  of  Monte  Carlo  runs 
were  actually  conducted,  one  set  in  which  instrument  biases  were  allowed 
to  assume  various  representative  values  and  another  set  in  which  all 
biases  were  zeroed.  The  latter  set  is  used  later  in  the  bias  sensitiv¬ 
ity  tests.  During  these  first  test  runs,  the  filters  were  tuned  to  the 
straight-and-level  flight  profile.  Section  2  delineates  these  results. 
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Monte  Carlo  runs  of  the  same  trajectory  segments  were  then  con¬ 
ducted,  but  with  individual  sensor  failures  being  simulated.  Both  types 
of  Monte  Carlo  runs,  with  zeroed  biases  and  representative  bias  values, 
were  used.  The  resulting  likelihood  function  plots  then  allowed  evalu¬ 
ation  of  the  various  means  of  declaring  failures,  as  seen  in  Section  3. 

Since  one  problem  was  the  sensitivity  to  rapid  roll  rates,  an  in¬ 
vestigation  into  altering  the  filter  driving  noise  covariances  (Qj  to 
tune  the  filters  to  an  environment  of  higher  roll  rates  was  made.  This 
detunes  the  filter  somewhat  in  the  straight-and-level  regime.  The  ef¬ 
fectiveness  of  the  Q  variance  to  reduce  maneuver  sensitivity  is  pre¬ 
sented  in  Section  4. 

Section  5  then  presents  the  sensitivity  to  instrument  biases. 

Monte  Carlo  runs  with  all  biases  set  to  zero  but  one  were  performed  for 
each  bias  in  turn.  To  make  the  effects  of  the  biases  pronounced,  each 
one  being  tested  was  set  at  the  worst  case  level  (or  2a  value  if  a 
statistical  description  of  bias  characteristics  was  available  for  a 
particular  sensor). 

Section  6  describes  the  verification  of  the  simulated  data  results 
by  data  tapes  acquired  through  flight  test  recordings.  Due  to  some  ex¬ 
tenuating  circumstances,  the  flight  tests  have  been  delayed  for  21 
months,  and  so  the  actual  data  is  not  available  at  the  time  of  this 
writing.  However,  the  tests  are  scheduled  and  this  substantiation  is 
expected  within  the  near  future. 
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2.  BASELINE  OF  PERFORMANCE  -  NO  FAILURES 

Monte  Carlo  simulations  were  conducted  over  the  three  evaluation 
trajectory  segments  without  any  failures  being  simulated.  Figure  8  pre¬ 
sents  plots  of  the  ten  likelihood  functions  for  the  three  trajectory 
segments  under  the  conditions  of  zeroed  instrument  biases.  The  labels 
in  this  figure  are  used  throughout  this  section:  INS  1,  2,  and  3  are 
the  pitch,  roll,  and  yaw  likelihood  functions  for  the  INS-AFCS  filter; 
AHRS  1,  2,  and  3  are  similarly  pitch,  roll,  and  yaw  likelihood  functions 
for  the  AHRS-AFCS  filter;  VERT  1,  2,  and  3  are  lagging  altitude,  inde¬ 
pendent  vertical  velocity  (used  to  check  angle  of  attack),  and  vertical 
velocity  likelihood  functions  of  the  vertical  filter;  and  VIAS  is  the 
indicated  airspeed  likelihood  function.  These  labels  correspond  to  e^ 
through  eg,  and  e^,  respectively,  of  Table  IV  in  Section  II. 2. 6. 
Variation  of  these  instrument  biases  did  not  substantially  increase  the 
magnitude  of  any  likelihood  function  except  the  one  corresponding  to  in¬ 
dicated  airspeed  (labelled  VIAS  in  the  plots).  In  fact,  some  effort  was 
made  to  include  in  Figure  8  plots  of  large  magnitude  likelihood  func¬ 
tions  from  the  various  Monte  Carlo  runs.  Maximum  magnitudes  attained  by 
the  ten  likelihood  functions  on  the  three  trajectories  (denoted  as 
"level,"  "turn,"  and  "descent")  are  given  in  Table  V.  This  table  in¬ 
cludes  nonzero  bias  runs  as  well  as  zero  bias  runs.  With  zero  biases, 
after  a  rapid  transient  from  an  initial  value  of  -195  as  in  Figure  8, 
the  maximums  attained  by  the  VIAS  (indicated  airspeed)  likelihood  func¬ 
tion  were  -10  in  level  flight,  -20  in  the  turn,  and  -8  in  descent.  Note 
that  this  original  value  of  -195  was  due  to  the  initial  conditions  being 
established  with  a  trajectory  in  which  instrument  biases  were  allowed  to 
assume  representative  nonzero  values.  These  are  substantially  lower 
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Figure  8e.  No  Failures:  Level 


Figure  8f.  No  Failures;  Level 
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Figure  8h.  No  Failures;  Level 


Figure  8i .  No  Failures;  Level 
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than  the  -230,  -430,  and  -195,  respectively,  in  the  table.  Another, 
less  pronounced,  effect  was  that  the  VERT  2  (independent  vertical  ve¬ 
locity)  achieved  maximums  of  -1.1,  -1.5,  and  -1.8  in  the  level,  turn, 
and  descent  phases  with  no  biases  simulated,  as  compared  with  the  -11.1, 
-5.2,  and  -4.7  listed  in  the  table.  Other  than  these  cases,  the  biases 
had  only  a  marginal  effect  on  the  likelihood  function  magnitudes  or  dy¬ 
namic  characteristics. 

The  variation  of  the  roll  channel  likelihood  functions  of  both  at¬ 
titude  filters  under  the  influence  of  rapid  roll  rates  in  the  turn  is 
especially  noteworthy.  A  variation  of  greater  than  two  orders  of  magni¬ 
tude  in  these  likelihood  functions  is  exhibited  in  both  Figure  8  and 
Table  V.  By  far,  this  is  the  greatest  sensitivity  of  the  various  like¬ 
lihood  functions  to  aircraft  maneuvering,  and  therefore  it  has  received 
intense  attention  in  this  effort. 

3.  FAILURE  DETECTION  CAPABILITY 

This  section  will  describe  the  results  of  Monte  Carlo  runs  to  veri¬ 
fy  and  improve  the  performance  reported  in  Tables  I  and  II  of  Section  I. 
To  provide  a  means  of  direct  comparison,  the  data  will  be  presented  in 
the  same  order  as  in  those  two  tables.  Where  significant  improvement 
was  required  and/or  achieved,  a  more  detailed  accounting  of  these  re¬ 
sults  will  be  made. 

3.1  SUDDEN  FAILURES  WITH  SUDDEN  EFFECTS 

First,  the  study  of  sudden  failures  with  sudden  effects,  the  con¬ 
tent  of  Table  I,  will  be  presented. 
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Massive  leak  in  static  line:  During  the  turn  segment,  static  line 
leaks  of  varying  degrees  were  simulated,  with  such  a  failure  being  de¬ 
tected  by  the  altitude  (VERT  1;  e^),  vertical  velocity  (VERT  3;  e^),  and 
indicated  airspeed  (VIAS;  e^)  likelihood  functions  surpassing  their 
thresholds.  The  performance  of  Table  I  was  achieved,  with  the  smallest 
leak  simulation  being  within  the  region  such  that  in-tolerance  instru¬ 
ment  biases  precluded  detection  in  many  runs.  With  more  massive  leaks 
(i.e.,  adding  more  than  50  to  the  simulated  sensor  bias),  detection  was 
possible  and  occurred  more  rapidly  with  increasing  leak  magnitude.  The 
"higher  sensitivity"  to  vertical  velocity  than  altitude  exhibited  it¬ 
self  in  the  vertical  velocity  likelihood  function  rapidly  attaining  a 
value  in  excess  of  normal  and  remaining  there,  whereas  the  altitude  like¬ 
lihood  function  grew  more  slowly,  but  continued  such  growth  to  surpass 
the  threshold  by  a  greater  percentage  eventually.  Thus,  as  in  Table  I, 
the  vertical  velocity  was  signalled  in  error  on  the  first  iteration  of 
the  algorithm  after  the  leak  was  simulated,  while  the  altitude  failure 
required  four  iterations.  Note  that,  due  to  simulation  errors  in  the 
previous  work,  the  indicated  airspeed  was  not  affected  by  static  line 
errors.  For  the  strongest  leak  simulated  (adding  500  to  the  sensor 
bias),  the  altitude  likelihood  function  exceeded  its  normal  peak  value 
by  about  7,  the  vertical  velocity  by  about  4.5,  and  the  indicated  air¬ 
speed  by  about  1100. 

Some  difficulty  with  the  airspeed  (V IAS)  likelihood  function 
growing  large  was  experienced,  but  this  was  attributed  to  other  instru¬ 
ment  biases.  Thus,  these  were  not  false  alarms  caused  by  the  simulated 
line  leak. 
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Massive  leak  in  pitot  line:  The  performance  of  Table  I  was  achieved 
when  instrument  biases  were  zeroed,  but  some  difficulty  was  experienced 
when  other  instrument  biases  were  allowed  to  affect  the  system.  The  in¬ 
dicated  airspeed  (VIAS)  likelihood  function  repeatedly  demonstrated  such 
performance. 

Excessive  noise  in  static  pressure  output:  The  altitude  (VERT  1), 
vertical  velocity  (VERT  3),  and  indicated  airspeed  (VIAS)  likelihood 
functions  signalled  such  a  static  pressure  sensor  failure,  with  similar 
trends  as  in  Table  I.  For  the  largest  noise  power  simulated,  VERT  1 
attained  approximately  -31  (as  compared  to  -14.5  as  listed  in  Table  V 
for  the  greatest  value  under  no-fail  conditions),  VERT  3  achieved  about 
-28  (compared  to  -2.7)  and  VIAS  achieved  -1500  (compared  to  -430). 

This  is  seen  in  Figure  9,  typical  plots  of  VERT  1  and  VERT  2  under  con¬ 
ditions  of  their  largest  failures. 

The  VERT  2  likelihood  function  magnitude  grew  somewhat,  though  not 
as  severely  as  VERT  1  and  VERT  3  or  enough  to  surpass  threshold.  This 
can  be  attributed  to  the  vertical  filter  being  degraded  by  continued 
use  of  a  failed  signal . 

Excessive  noise  in  pitot  pressure  output:  As  indicated  in  Table  I, 
for  large  enough  noise  corruption,  a  failure  is  declared  by  the  airspeed 
(VIAS)  likelihood  function  exceeding  threshold.  For  a*  =  600,  the  value 
grows  to  about  -750,  and  for  a*  =  1200  it  grows  to  -1800  then  oscillates 
back  to  -600,  both  of  these  being  considerably  beyond  the  -430  value  in 
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Figure  9b.  Excessive  Noise  in  Static 
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Table  V  under  no-fail  conditions,  and  especially  beyond  -20  under  no¬ 
fail  conditions  and  no  instrument  biases  (as  mentioned  in  Section  IV. 2). 
Figure  10  portrays  the  VIAS  likelihood  function  for  a  run  with  o* 

=  1200. 

Tachometer  failure:  When  the  tachometer  failed  in  descent,  the 
vertical  velocity  likelihood  function  signalled  a  failure,  usually  after 
about  one  second,  with  the  function  approximately  doubling  its  "normal 
operation  maximum"  value  after  two  seconds. 

Bent  angle-of-attack  vane:  Similar  to  the  indicated  performance  in 
Table  I,  for  the  low  values  of  additional  bias  used  to  simulate  the  bent 
angle-of-attack  vane,  the  results  did  not  consistently  put  the  VERT  2 
likelihood  function  level  beyond  the  value  of  -5.2  shown  in  Table  V. 
However,  when  0.06  was  added  to  b(,  the  value  grew  to  -6  in  approxi¬ 
mately  two  seconds,  and  remained  at  that  level.  For  an  additional  bias 
of  0.12,  the  level  grew  to  -36  in  about  two  seconds,  as  shown  in  Figure 
11a.  Unlike  the  results  in  Table  I,  the  indicated  airspeed  likelihood 
function  did  not  in  general  grow  beyond  the  -430  level  of  Table  V,  al¬ 
though  it  did  usually  grow  beyond  the  zero  bias  level  of  -20. 

As  might  be  expected,  the  other  estimates  in  the  vertical  filter 
were  degraded  somewhat  due  to  incorporation  of  faulty  data,  and  so 
VERT  1  and  VERT  3  did  in  fact  grow  in  magnitude.  However,  as  seen  in 
Figures  lib  and  11c,  these  two  likelihood  functions  underwent  growth 
substantially  lower  than  the  corresponding  likelihood  function.  Thus, 
any  potential  false  alarm  from  their  growth  could  probably  be  precluded 
by  removing  the  failed  signal  from  the  filter. 
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This  idea  was  tested,  and  Figure  12  presents  the  confirmation  ob¬ 
tained.  By  removing  the  failed  signal,  the  VERT  1  and  VERT  3  likelihood 
functions  do  in  fact  recover  to  levels  that  do  not  elicit  false  alarms. 

Noisy  angle-of-attack  potentiometer:  Again  performance  similar  to 
that  of  Table  I  was  achieved  except  that  indicated  airspeed  did  not  con¬ 
sistently  register  false  alarms.  When  the  noise  variance  was  set  to 
aa  =  0.06,  the  VERT  2  likelihood  function  grew  to  about  -25  in  about  two 
seconds  (compared  to  the  -5.2  of  Table  V),  and  then  oscillated  at  values 
ranging  between  -15  and  -27  typically.  Under  this  magnitude  of  failure, 
the  VERT  1  and  VERT  3  likelihood  functions  did  not  generally  show  growth 
levels  to  potential  false  alarms. 

When  the  noise  variance  was  increased  to  a  =  0.12,  the  results 

a 

were  well  represented  by  the  plots  of  Figure  13.  Plot  a  shows  the 
VERT  2  likelihood  function  clearly  surpassing  its  maximum  normal  value 
(-5.2),  but  both  VERT  1  and  VERT  3  in  plots  b  and  c  surpass  their  max¬ 
imum  normal  values  (-4.5  and  -2.8,  respectively)  as  well.  Again  the 
influence  of  removing  the  failed  signal  upon  failure  declaration  was 
investigated,  and  again  the  VERT  1  and  VERT  3  likelihood  functions 
recovered  to  behavior  that  remained  subthreshold. 

Normal  accelerometer  pickoff  failure:  The  airspeed  (VIAS)  likeli¬ 
hood  function  quickly  detected  this  failure,  as  shown  by  a  typical  plot 
of  its  value  in  Figure  14. 
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Figure  14.  Normal  Accelerometer  Pickoff  Failure 
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INS  vertical  accelerometer  float  leak:  This  failure  was  reported 
as  undetectable  in  Table  I  from  previous  investigations.  However,  for 
the  accelerometer  scale  factor  error  T33  =  £3^  =  0.02  and  above,  detec¬ 
tion  was  achieved  in  the  experiments  conducted  for  this  effort.  Figure 
15  portrays  a  typical  result  for  a  scale  factor  error  of  0.04,  in  which 
VERT  1,  VERT  2,  and  VERT  3  all  clearly  surpass  their  no-failure  maximums 
of  -14.5,  -5.2  and  -2.8,  respectively.  Times  of  passage  of  these  thresh¬ 
olds  were  not  always  identical,  so  that  checking  other  likelihood  function 
values  when  one  surpassed  its  threshold  (to  determine  the  probability  of 
their  thresholds  being  surpassed  soon)  would  be  required  to  preclude 
false  alarms. 


3.2  SUDDEN  FAILURES  WITH  DRIFTING  EFFECTS 

As  in  the  previous  section,  the  study  of  sudden  failures  with 
drifting  effects  will  be  presented  in  the  same  order  as  Table  II  so  that 
a  direct  comparison  is  readily  discernible. 

Clogged  static  line:  This  failure  was  detected  by  both  altitude 
(VERT  1)  and  vertical  velocity  (VERT  3)  exceeding  the  no-failure  maximum 
values.  As  in  Table  I,  the  altitude  likelihood  function  indicated  the 
failure  before  the  vertical  velocity  likelihood  function  did. 

Clogged  pitot  line:  With  instrument  biases  allowed  to  assume  dif¬ 
ferent  representative  values,  this  failure  could  not  be  discerned  con¬ 
sistently,  as  indicated  in  Table  I.  However,  if  a  comparison  is  made 
between  the  Monte  Carlo  runs  with  no  failures  and  zeroed  instrument  bi¬ 
ases,  and  similar  runs  with  no  biases  but  the  clogged  pitot  line  simu- 
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Figure  15b.  INS  Vertical  Accelerometer  Float  Leak 
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lated,  then  the  failure  is  detectable.  Figure  8  presented  plots  of  the 
VIAS  likelihood  function:  in  all  cases,  it  converged  to  magnitudes  be¬ 
low  -20  in  the  turn  segment  and  -8  in  descent.  Note  that  the  original 
higher  values  in  these  plots  were  due  to  the  initial  conditions  being 
established  with  a  trajectory  in  which  instrument  biases  assumed  repre¬ 
sentative  values. 

Figure  16  presents  the  indicated  airspeed  (VIAS)  likelihood  func¬ 
tion  for  the  case  of  zero  instrument  biases  and  a  clogged  pitot  line. 
Plot  a  corresponds  to  a  turn  segment,  and  the  likelihood  function  grows 
to  a  value  of  about  -35  (beyond  the  no-failure  maximum  of  -20).  Simi¬ 
larly,  plot  b  corresponds  to  the  descent,  and  the  detectability  here  is 
more  pronounced:  not  only  is  the  no-failure  maximum  value  of  -8  sur¬ 
passed,  but  the  growth  trend  is  consistent.  In  this  latter  case,  the 
failure  would  be  detected  even  if  the  -195  threshold  of  Table  V  for 
descent  conditions,  or  the  overall  threshold  of  -430,  were  used.  Nev¬ 
ertheless,  its  speed  of  detection  would  be  much  improved  if  instrument 
biases  were  compensated  in  preflight  as  suggested  in  Section  III  (allow¬ 
ing  a  tighter  threshold  to  be  used).  In  fact,  such  compensation  would 
be  requisite  for  the  detection  of  a  clogged  pitot  line  during  the  turn 
segment  in  most  of  the  Monte  Carlo  runs,  though  not  for  detection  in 
descent. 

INS  vertical  gyro  torquer  failure:  This  failure  in  level  flight 
would  be  expected  to  affect  the  INS  pitch  and  roll  (INS  1  and  INS  2) 
likelihood  functions.  Figure  17  presents  representative  plots  of  these 
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Figure  17a.  INS  Vertical  Gyro 


iqure  17b.  INS  Vertical  Gyro 
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two  functions.  These  two  graphs  do  exceed  the  no-fail  maximums  achieved 
in  level  flight  (INS  1  reaches  about  -7.5  compared  to  -4.2  with  no  fail¬ 
ures,  and  INS  2  reaches  approximately  -8  compared  to  -5.7).  However, 
the  INS  2  does  not  exceed  the  considerably  larger  maximums  obtained  in 
turns  (-20.4  and  -1650,  respectively).  Thus,  it  can  be  concluded  that 
this  failure  is  detectable  only  if  threshold  levels  set  adaptively  to 
aircraft  maneuvering  were  used.  If  such  adaptive  thresholds  were  used, 
a  threshold  appropriate  to  level  flight  would  be  tight  enough  that  such 
a  failure  could  be  detected,  but  only  while  the  aircraft  were  actually 
flying  straight  and  level. 

INS  heading  gyro  torque  failure:  No  discernible  effects  on  the  INS 
yaw  (INS  3)  likelihood  function  were  caused  by  this  failure. 

INS  gyro  float  leak  (level  flight):  Even  the  smallest  simulated 
leaks  had  profound  effects  on  the  INS-AFCS  attitude  filter  likelihood 
functions.  Figure  18  presents  the  three  likelihood  functions  (INS  1, 

INS  2,  INS  3)  for  an  example  run  of  this  case,  i.e.,  =  0.0025.  The 

achieved  values  of  -13,  -90,  and  -800  far  surpass  the  no-fail  level 
flight  maximums  of  -4.2,  -5.7,  and  -5.8  in  Table  V.  Note  that,  as  ex¬ 
pected,  the  yaw  likelihood  function  (INS  3)  exhibits  the  strongest  ef¬ 
fect  due  to  the  failure,  but  that  the  failure  does  not  affect  the  entire 
INS  performance. 

For  larger  values  of  float  leak  magnitude,  the  INS  performance  deg¬ 
radation  is  sufficient  to  affect  the  vertical  filter  likelihood  functions 
through  the  influence  of  the  INS  vertical  accelerometer.  For  instance. 
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Figure  18a.  INS  Gyro  Float  Leak  in  Level  Flight 
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when  =0.1,  VERT  1  reaches  -42  in  two  seconds  from  start  of  the 
failure,  compared  to  its  no-fail  level  flight  maximum  of  -13.3,  VERT  2 
reaches  -1.5  (compared  to  -1.1)  and  VERT  3  reaches  -10.6  (compared  to 
-2.8).  For  this  reason,  when  su  INS  failure  is  declared,  the  driv¬ 
ing  noise  covariance  in  the  vertical  filter  should  be  increased  to  a 
very  large  number. 

INS  gyro  float  leak  (turn):  In  a  turn,  this  failure  again  had 
significant  effect  on  the  INS  likelihood  functions,  even  for  the  small¬ 
est  magnitude  failure  that  was  simulated.  Figure  19  presents  these  re¬ 
sults:  pitch  (INS  1)  drops  to  -230  (versus  -20.4  for  no  failures)  and 
yaw  (INS  3)  to  -102  (compared  to  a  peak  value  of  -96).  Note  that  the 
INS  3  likelihood  function  differs  significantly  from  the  no-failure  case 
during  the  turn:  it  remains  at  about  -60  for  a  period  of  time  in  the 
turn  as  opposed  to  returning  immediately  to  about  -10.  Therefore,  if  a 
time-to-fai lure-declaration  parameter  were  used  in  conjunction  with  a 
threshold  value  to  mask  out  the  transients  due  to  rapid  roll  rate,  the 
declaration  of  failure  would  be  assured  for  INS  3  as  well  as  INS  1. 

Note  that  INS  2  also  exhibits  a  likelihood  function  buildup  during 
the  turn.  This  is  to  be  expected  since  the  failure  will  affect  the 
performance  of  all  INS  outputs.  Furthermore,  even  for  the  lowest  mag¬ 
nitude  failure,  the  INS  vertical  accelerometer  error  has  caused  the 
vertical  filter  likelihood  functions  to  grow  abnormally,  as  depicted  in 
Figure  20.  As  in  the  previous  case,  VERT  1  and  VERT  3  especia1ly  exceed 
their  no-failure  maximums  (-14.0  and  -2.5,  respectively).  Thus,  when  an 
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INS  Gyro  Float  Leak  in  Turn-Attitudes 


Figure  19b.  INS  Gyro  Float  Leak  in  Turn-Attitudes 
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Fiqure  20a.  INS  Gyro  Float  Leak  in  Turn 
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INS  failure  is  sensed,  either  the  driving  noise  variance  for  the  verti¬ 
cal  filter  must  be  increased  or  the  failure  detection  based  on  the 
vertical  filter  likelihood  functions  must  be  disenabled. 

Increasing  the  magnitude  of  the  failure  makes  the  effects  depicted 
above  more  pronounced.  Thus,  the  rapid  detection  in  Table  II  is  possi¬ 
ble.  (For  instance,  when  =  0.005,  INS  3  (yaw)  reaches  -5000  in 

three  seconds'.).  The  "false  alarms"  reported  in  that  table  are  due  to 
the  propagation  of  the  degraded  INS  performance  into  the  VERT  2  likeli¬ 
hood  function  and  the  entire  vertical  filter. 

Loss  of  cutoff  for  the  vertical  gyro:  During  a  turn,  such  a  fail¬ 
ure  should  be  declared  by  the  AHRS  roll  (AHRS  2)  likelihood  function 
surpassing  threshold.  With  loss  of  good  vertical  gyro  performance,  it 
would  be  expected  that  AHRS  pitch  (AHRS  1)  would  also  grow.  Figure  21 
presents  a  typical  set  of  plots  of  these  two  likelihood  functions.  If  a 
time-to-fai lure-declaration  parameter  or  some  other  method  were  used 
with  a  threshold  value  to  mask  out  normal  transients  in  the  AHRS  2 
likelihood  function,  then  the  growth  during  the  turn  itself  to  a  value 
of  about  -350  would  be  detectable  as  a  failure.  As  expected,  the  AHRS  1 
likelihood  has  surpassed  its  no-failure  maximum  value  of  -36. 

Loss  of  cutoff  for  directional  gyro:  No  effects  could  be  observed 
in  the  AHRS  yaw  (AHRS  3)  likelihood  function  when  this  failure  was 
simulated. 
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Figure  21a.  Loss  of  Cutoff  for 
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Vertical  gyro  servo  failure:  No  consistently  discernible  increase 
in  the  magnitudes  of  the  AHRS  roll  or  pitch  likelihood  functions  ap¬ 
peared  when  this  failure  was  simulated. 

Directional  gyro  servo  failure:  Figure  22  presents  a  typical  plot 
of  the  AHRS  heading  (AHRS  3)  likelihood  function  when  this  failure  was 
simulated  during  level  flight.  The  peak  magnitude  exceeds  the  no¬ 
failure  maximum  attained  in  level  flight  (-11.1)  by  a  factor  of  two  and 
is  also  greater  than  the  descent  value  (-6.1).  However,  it  does  not 
exceed  the  maximum  achieved  in  turns  (-145),  so  thresholds  adaptive  to 
maneuvering,  or  a  disenabling  of  failure  declarations  during  turns  with 
the  tighter  threshold  chosen,  would  be  required  for  this  failure  to  be 
detected. 

Rate  gyro  failure:  Figure  23  presents  the  six  likelihood  functions 
(IMS  1,  2,  3  and  AHRS  1,  2,  3)  that  together  surpassing  their  thresholds 
would  indicate  a  pitch  or  yaw  rate  gyro  failure,  when  in  fact  a.  yaw  rate 
gyro  was  failed  during  a  turn.  The  INS  1,  INS  3,  AHRS  1,  and  AHRS  3 
likelihood  functions  clearly  crossed  their  threshold  values.  If  tran¬ 
sients  due  to  rapid  roll  rates  are  masked  out,  then  the  growth  of  INS  2 
and  AHRS  2  (the  two  roll  iikelihood  functions)  can  readily  be  detected 
during  the  turn  itself,  INS  2  growing  to  about  -500  and  the  AHRS  2  func¬ 
tion  to  about  -200.  With  six  likelihood  functions,  the  time  of  crossing 
of  threshold  problem  exists,  and  a  check  on  the  other  likelihood  func¬ 
tion  values  when  the  first  surpass  threshold  will  avoid  false  alarms  due 
to  this  problem. 
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Figure  22.  Directional  Gyro  Se 


Figure  23c.  Yaw  Rate  Gyro 
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Figure  23f.  Yaw  Rate  G 
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Figure  24  presents  a  typical  result  of  failing  the  roll  rate  gyro 
in  level  flight,  an  experiment  not  reported  in  Table  II.  As  expected, 
the  roll  likelihood  functions  associated  with  both  attitude  filters 
(INS  2  and  AHRS  2)  surpassed  the  no-failure  level  flight  maximum  values 
(-4.2  and  -9.0,  respectively).  They  also  surpassed  the  maximum  values 
attained  in  descent  (-6.9  and  -15.7),  but  did  not  exceed  the  thresholds 
appropriate  to  turns  (-20.4  and  -36).  Therefore,  use  of  tight  thres¬ 
holds  with  inhibited  failure  declaration  during  turns  or  threshold 
values  set  adaptively  to  sensed  maneuvering  would  be  required  to  detect 
this  failure. 

4.  LESSENING  SENSITIVITY  TO  ROLL  RATE 

One  consistent  characteristic  in  the  last  section  was  the  sensi¬ 
tivity  of  the  two  roll  angle  likelihood  functions  (INS  2  and  AHRS  2)  to 
rapid  roll  rates.  The  three  procedures  for  handling  the  resulting 
transients  were: 

(1)  use  of  the  tighter  threshold  values  appropriate  to  other 
flight  regimes  and  the  disenabling  of  failure  declarations 
when  rapid  roll  rates  were  sensed  (or  commanded) 

(2)  use  of  threshold  values  that  would  be  adaptively  set  higher 
when  rapid  roll  rates  were  sensed  (or  commanded) 

(3)  use  of  a  time-to-fai lure-declaration  parameter  in  conjunction 
with  a  tighter  threshold  value  to  "mask  out"  the  transient 
effects. 

172 


... 


..  ..  ..  ... 


0.80 


Fiqure  24a.  Roll  Rate 


Figure  24b.  Roll  Rate  G; 
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Because  of  the  magnitude  of  these  transient  effects,  an  investiga¬ 
tion  was  made  to  determine  if  increasing  the  two  filters'  driving  noise 
covariance  matrix  (Q)  components  could  significantly  reduce  the  transi¬ 
ent  amplitudes,  while  leaving  failure  characteristics  unchanged  (or  even 
enhanced). 

The  first  tests  simply  multiplied  the  diagonal  Q.  matrices  by  con¬ 
stant  factors.  This  led  to  somewhat  decreased  transient  magnitudes,  but 
also  to  a  decrease  of  likelihood  function  growth  due  to  real  failures. 

Subsequently,  it  was  reasoned  that  the  real  system  model  uncer¬ 
tainty  was  in  the  roll  channel,  so  only  the  element  in  the  first  row  and 
first  column  of  the  matrices  (corresponding  to  driving  noise  on  roll 
rate)  was  increased,  leaving  the  other  terms  unchanged.  Tests  were 
conducted  with  these  elements  set  to  2,  5,  and  10  times  the  value  that 
tuned  the  filters  to  the  straight-and-level  flight  regime.  Monte  Carlo 
runs  of  turns  were  then  made  for  (1)  no  failures  simulated,  (2)  the  yaw 
rate  gyro  failed,  and  (3)  loss  of  vertical  gyro  cutoff.  Since  the  two 
failure  cases  are  indicative  of  the  decrease  in  transient  amplitude 
achieved  in  the  no-failure  case,  only  these  plots  are  included  here. 

Figure  25  displays  typical  plots  of  INS  2  and  AHRS  2  for  the  rate 
gyro  failure  case  with  set  at  twice  its  normal  value.  The  transient 

is  decreased  somewhat  from  that  depicted  in  Figure  23,  and  the  intermed¬ 
iate  growth  is  somewhat  better  as  well.  The  trends  of  the  other  four 
likelihood  functions  were  left  unchanged,  and  failure  detection  was 
readily  possible. 


Figure  25a.  Rate  Gyro  Failure;  Q, ,  =  Twice  Normal  Value 
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By  increasing  to  ten  times  its  normal  value,  results  were  such 
as  those  displayed  in  Figure  26.  The  growth  due  to  the  actual  failure 
was  relatively  unchanged,  but  the  transient  magnitudes  were  reduced 
markedly.  As  would  be  expected,  the  associated  attitude  filters  were 
simultaneously  producing  estimates  of  the  error  variances  in  their  state 
estimates  that  more  closely  approximated  the  statistics  of  the  actually 
observed  residuals.  However,  this  was  gained  at  the  expense  of  a  re¬ 
ciprocal  detuning  of  the  filters  for  straight-and-level  flight  regime 
performance. 

The  same  trend  of  reducing  the  transient  magnitude  with  an  increase 
of  Q-ji  was  also  exhibited  by  the  AHRS  roll  (AHRS  2)  likelihood  function 
for  the  case  of  loss  of  vertical  gyro  cutoff.  Thus,  the  failure  charac¬ 
teristics  were  emphasized  relative  to  these  transients. 

5.  SENSITIVITY  TO  INSTRUMENT  BIASES 

Of  the  twenty-four  biases  tested  at  their  2o  level,  the  most  criti¬ 
cal  were  those  that  affected  the  indicated  airspeed  (V IAS)  likelihood 
function,  since  it  was  this  function  alone  that  required  biases  to  be 
set  to  zero  (or  small  values)  to  yield  good  detection  performance.  The 
indicated  airspeed  quantity  is  generated  with  the  use  of  static  pressure 
and  pitot  pressure,  so  the  sensitivity  of  the  VIAS  likelihood  function 
to  biases  in  these  values  would  be  important.  Furthermore,  the  model 
reference  incorporates  the  normal  accelerometer  output  and  angle-of- 
attack  signal  to  generate  a  second  computed  value  of  indicated  airspeed, 
so  these  sensitivities  are  also  important. 


26a.  Rate  Gyro  Failure;  Qn  =  10  x  Normal  Value 
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Figure  27  presents  the  typical  VIAS  likelihood  function  in  the 
level,  turn,  and  descent  trajectories  during  simulations  in  which  the 
static  pressure  bias  was  set  at  its  2o  value.  Similarly,  Figure  28  por¬ 
trays  a  typical  example  when  the  pitot  pressure  bias  is  similarly  set. 
The  extreme  sensitivity  of  likelihood  function  performance  to  these  two 
biases,  as  seen  by  comparing  these  plots  to  those  of  Figure  8,  empha¬ 
sizes  the  importance  of  removing  such  biases  to  the  greatest  possible 
extent  during  preflight,  if  this  likelihood  function  of  the  detection 
logic  is  to  perform  properly.  The  angl e-of-attack  bias  affects  this 
likelihood  function  to  a  minor  degree,  changing  its  magnitude  by  about  5 
to  10  at  most  when  the  bias  is  at  its  2o  value.  It  should  also  be  noted 
that  the  pitot  pressure  bias  also  affected  the  vertical  filter,  with  the 
VERT  2  likelihood  function  doubling  its  threshold  in  level  flight. 

Other  bias  sensitivities  are  less  critical  to  performance,  and  they 
were  also  found  to  be  less  severe  than  the  static  and  pitot  pressure 
bias  sensitivities.  Biases  directly  on  the  INS  outputs  caused  some 
performance  change.  The  2o  bias  on  INS  pitch  caused  the  corresponding 
likelihood  function  to  achieve  maximum  magnitudes  of  -7.5  in  level 
flight,  -4.3  in  a  turn,  and  -8.7  in  descent  (compared  to  the  values 
-4.2,  -2.04  and  -6.9,  respectively  in  Table  V);  the  roll  bias  caused  the 
roll  likelihood  function  to  reach  -9.1  in  level  flight  (compared  to  -5.7 
from  Table  V).  Other  bias  effects  in  the  INS,  as  due  to  gyro  or  ac¬ 
celerometer  biases,  were  negligible. 

The  AFIRS  biases  directly  on  the  Euler  angle  outputs  similarly  had 
some  effect  on  likelihood  performance.  The  pitch  likelihood  function 
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tatic  Pressure  Bias  (Turn) 


Figure  28b.  Pitot  Pressure  Bias  (Turn 
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reached  a  value  of  -52  in  a  turn  (compared  to  -36  in  Table  V)  when  a  2o 
bias  was  simulated  on  the  pitch  output.  With  a  similar  bias  on  the  roll 
output,  the  roll  likelihood  function  reached  values  of  -23  in  level 
flight  and  -27  in  descent  (compared  to  -5.1  and  -8.6,  respectively  in 
Table  V).  The  directional  gyro  bias  at  its  2o  value  causes  the  AHRS  yaw 
likelihood  function  to  reach  -20  during  level  flight  (compared  to  the 
Table  V  value  of  -11.1).  Finally,  the  AHRS  compass  bias  caused  the  AHRS 
yaw  likelihood  function  to  exhibit  a  constant  growth  characteristic,  un¬ 
like  other  biases  which  caused  a  more  stable  offset  from  no-failure 
likelihood  function  values.  This  is  depicted  in  Figure  29  for  the  case 
of  the  descent  trajectory,  in  which  the  likelihood  function  is  seen  to 
continue  a  constant  growth  trend  beyond  the  threshold  of  -6.1  from 
Table  V. 

6.  VERIFICATION  OF  SIMULATED  DATA 

In  order  to  verify  that  the  performance  analysis  conducted  in  this 
effort  truly  depicts  the  performance  to  be  expected  in  eventual  imple¬ 
mentation,  data  acquired  from  flight  test  aircraft  will  replace  the  air¬ 
craft  and  sensor  simulation  portions  of  the  software  package.  First  a 
set  of  no-bias,  no-failure  simulation  runs  will  be  conducted,  and  re¬ 
cordings  of  all  sensor  outputs  put  on  tape.  Then  no-bias  runs  with 
failures  will  be  conducted,  and  recordings  of  the  sensor  recordings 
again  collected.  The  difference  between  these  and  the  corresponding  no¬ 
failure  case  sensor  outputs  will  then  form  a  time  history  of  sensor 
output  variations  due  to  simulated  failures.  Once  the  flight  test  data 
tapes  are  obtained,  they  can  then  be  used  to  drive  the  filters,  detec¬ 
tion  logic,  and  performance  analysis  segments  of  the  software.  By 
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superimposing  the  sensor  output  variations  on  the  real  data,  the  ability 
of  the  failure  detection  logic  to  discern  failure  characteristics  in  a 
real  sensor  signal  environment  will  be  verified. 
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SECTION  V 
CONCLUSION 

An  efficient  and  effective  means  of  detecting  failures  of  data  sen¬ 
sors  through  functional  redundancy  has  been  developed  and  its  perfor¬ 
mance  capabilities  investigated.  As  the  preceding  section  has  demon¬ 
strated,  the  failure  detection  power  of  the  concept  is  rather  extensive. 
Since  it  allows  such  detection  by  combining  data  from  systems  already 
onboard  an  aircraft,  it  reduces  the  amount  of  hardware  duplication 
required  to  achieve  a  specified  level  of  data  system  reliability. 
Consequently,  the  practical  implications  in  cost,  weight,  and  volume 
savings  for  future  aircraft  are  substantial. 

To  aid  the  eventual  implementation  of  this  concept  into  an  inte¬ 
grated  failure  detection  system,  a  flexible  design  tool  has  been  devel¬ 
oped.  With  this  tool,  the  functional  redundancy  detection  logic  can  be 
readily  tuned  and  optimized  for  any  particular  onboard  application.  The 
software  package  that  has  been  developed  can  significantly  assist  the 
conversion  of  performance  potential  of  functional  redundancy  failure  de¬ 
tection  into  performance  realization. 


191 


AFFDL-TR-76-93 


BIBLIOGRAPHY 

Maybeck,  Peter  S. ,  "Combined  State  and  Parameter  Estimation  for 
Online  Applications,"  Ph.D.  dissertation  at  Massachusetts  Institute 
of  Technology  (also  Charles  Stark  Draper  Laboratory  Report  T-557), 
Cambridge,  Massachusetts,  February  1972. 

Maybeck,  Peter  S.,  "The  Kalman  Filter  -  An  Introduction  for  Poten¬ 
tial  Users,"  TM-72-3,  Air  Force  Flight  Dynamics  Laboratory,  Wright- 
Patterson  AFB,  Ohio,  June  1972. 

Meier,  L. ,  D.W.  Ross,  and  M.B.  Glaser,  "Evaluation  of  the  Feasi¬ 
bility  of  Using  Internal  Redundancy  to  Detect  and  Isolate  Onboard 
Control  Data  Instrumentation  Failures,"  Technical  Report  AFFDL-TR- 
70-172,  Air  Force  Flight  Dynamics  Laboratory,  Wright-Patterson  AFB, 
Ohio,  January  1971. 

Papoulis,  A.,  Probability,  Random  Variables,  and  Stochastic  Pro¬ 
cesses,  McGraw-Hill  Book  Co.,  New  York,  New  York,  1965. 


192 


*U.S.aov«rnmmt  Printing  Office  1979  —  657-002/1*3 


